Professional Documents
Culture Documents
CMMIModelV3 0
CMMIModelV3 0
ISACA owns all copyright, trademark, and all other intellectual property rights in the CMMI
Content. You may not reproduce, duplicate, copy, sell, resell, assign, transfer, create derivative
works of, incorporate in any software or tool, or commercially exploit any portion of the CMMI
Content, without express written permission by ISACA. You are solely responsible for your use
of the CMMI Content, and agree to defend, indemnify and hold ISACA harmless from any
claims, liability, damages, costs or expenses incurred by ISACA arising from your use of the
CMMI Content.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
3
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
4
List of Figures
Figure 1. Why Build Capability? ........................................................................................... 5
Figure 2. Why use CMMI? ................................................................................................... 7
Figure 3. Driving Performance through Capability ................................................................. 9
Figure 4. Model Content Organization .................................................................................11
Figure 5. CMMI Performance Solutions Ecosystem ...............................................................12
Figure 6. Integrated CMMI Products ...................................................................................13
Figure 7. CMMI Model Structure .........................................................................................14
Figure 8. CMMI Component Structure .................................................................................15
Figure 9. CMMI Component Structure - Views......................................................................17
Figure 10. Domain Descriptions ..........................................................................................18
Figure 11. Planning and Managing Work Capability Area View ...............................................18
Figure 12. Categories and Associated Capability Areas..........................................................20
Figure 13. Practice Area Organization .................................................................................22
Figure 14. Practice Group Level Characteristics ....................................................................23
Figure 15. Practice Area Versus Practice Structure ...............................................................25
Figure 16. Example Icon, DAR ............................................................................................26
Figure 17. Model Content Relationships...............................................................................27
Figure 18. Four Stages of Process Discipline ........................................................................30
Figure 19. Four Characteristics of Process Habit and Persistence ...........................................34
Figure 20. High Maturity Foundational Building Blocks ..........................................................38
Figure 21. High Maturity QPPO Funnel ................................................................................39
Figure 22. High Maturity Capability Area and Practice Area Relationships ...............................40
Figure 23. Maturity Levels 2 & 3 Versus 4 & 5 .....................................................................41
Figure 24. Using High Maturity to Determine if Work Should be Accepted ..............................43
Figure 25. Two Approaches to Improvement .......................................................................44
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
5
The architecture and design of CMMI Performance Solutions ecosystem, formerly CMMI V2.0
Product Suite, is a radical departure from its predecessors to make it more useful and adoptable
for customers and businesses. One of the key drawbacks of complex maturity models is the
time and resources it takes to make updates and keep them current with business, technology
trends, and market demands. To address this challenge, the architecture of CMMI was
specifically designed to be flexible, agile, and evolve as these and other factors change. This
enables rapid development and addition of relevant new content at the speed of business,
technology, and change.
CMMI provides guidance for applying this set of best practices in a business or organization, to
ensure quality and timely solutions that delight customers and end users. Every company or
organization can benefit from improving performance and reducing risk. The CMMI provides a
roadmap that guides improvement from ad hoc activities to using recorded processes for a
disciplined and consistent approach for achieving performance against business objectives
related to:
• Cost Management
• Customer Satisfaction
• Functionality
• Organization Finance
• Process
• Productivity
• Quality
• Safety
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
6
• Schedule
• Security
• Staff Development
• Supplier
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
7
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
8
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
9
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
10
Purpose
The CMMI is an organized collection of best practices for business and performance
improvement. Best practices in the model focus on what needs to be done to improve
performance, not how to do it. Successful adoption of the CMMI requires consideration of the
organization’s specific context and associated domains. One specific approach may not be
successful in every situation. CMMI has been explicitly designed to be understandable,
accessible, and flexible to a broad variety of businesses and types of work. It facilitates faster,
easier, and successful improvement to address:
• Increasing performance
• Industry-specific needs
• Multiple types of organizations, projects, and domains
• Market drivers, such as:
o Business and industry trends
o Regulatory requirements
o New or changing technologies
Audience
The audience for CMMI includes anyone interested in improving performance in any business
environment. Whether you are seeking information to begin improving your performance or are
already familiar with the concept of capability maturity models, the CMMI can be useful to you.
CMMI can also be effectively used for performing due diligence in the selection of potential
suppliers, or on an organization you might be interested in acquiring.
As part of the integrated CMMI Performance Solutions ecosystem, ISACA has published
guidance to help you begin or continue your performance improvement journey by adopting
CMMI. Refer to Appendix C: CMMI Adoption Resources, for the CMMI adoption guidance
and a list of additional resources that address critical business performance and capability
challenges.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
11
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
12
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
13
Figure 6. Integrated CMMI Products illustrates the relationship across the CMMI products and
systems. This integrated approach was designed to reduce the “stove piping” of CMMI
Performance Solution components.
A CMMI architecture provides a flexible performance improvement model and structure that can
adapt to meet short- and long-term needs. The architecture and substructures can
accommodate existing and future models and content.
The CMMI architecture is designed to minimize the size and complexity of the model, yet not
lose the ability to have extensive explanatory material for advanced users who want an in-depth
understanding of a topic area. This is accomplished by providing an electronic format with links
to external informative material. This allows the informative material to be updated to
accommodate technical changes without having to update the core model.
This approach makes it possible for end users to design a view of the model to meet their
organization’s performance improvement needs. This enables the CMMI to be effective for a
wide range of organizations, such as when the model is used as a part of a supplier selection
process only a subset of model components may be critical for a specific supplier selection. The
organization can construct a custom view that fits those priorities, so they and their potential
suppliers know what is expected.
Historically, CMMI models focused separately on key process issues for development, services,
and suppliers. However, businesses rarely focus on only one domain, for example, besides
developing a product, a development organization may also provide help desk services to end
users. CMMI provides a platform to integrate all applicable domains and views and is
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
14
extendable based on organizational and market needs. This integrated and holistic approach to
performance improvement allows organizations to focus on the areas of improvement that they
find most relevant.
The format of the PA content follows a common modular structure. Figure 7. CMMI Model
Structure shows the high-level overview of the modular structure of the CMMI.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
15
At the highest level, the CMMI is a container of PAs and composed of five components,
described in Figure 8. CMMI Component Structure.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
16
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
17
This architecture provides a core model that contains material that applies to any context, along
with additional helpful information for organizations wishing to understand and adopt the
model, or use it in a specific context, such as agile development, security, safety, etc. This
modularization allows the model to be extended and updated with new examples, technologies,
and methods without having to update the entire model.
View
Views may be subject to change over time. A view is a window into the model which allows an
organization or project to focus on what is important to them or their organization. There are
predefined views that an organization can select. Or if none of the predefined views meet
business needs, organizations can construct their own custom view as shown in Figure 9. CMMI
Component Structure - Views. For example:
• An organization may be operating under two application domains, software development
and help desk services. The organization could then choose the predefined views of CMMI
Development (CMMI-DEV) and CMMI Services (CMMI-SVC). And, if security was important
to the organization, CMMI Security (CMMI-SEC) could be easily included with the other
two model domains.
• An organization wanting to improve their work planning and management capability could
choose a view for the Planning and Managing Work Capability Area (refer to Figure 11.
Planning and Managing Work Capability Area View) to help them manage and improve
their work management performance
For more information regarding model views, refer to Appendix B: Predefined Model Views
– Maturity and Capability Levels.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
18
Constructing a view consists of selecting what CMMI components to include in the view.
Domains
A domain is an organizing principle in the CMMI, including both the model and appraisal
method. Domains are functionally similar groupings of PAs that are applicable or tailored to an
organization's primary capabilities, e.g., development for systems engineering or product
development. A domain is a type of view within CMMI. The list of current domains in CMMI are
defined in Figure 10. Domain Descriptions.
Capability Area
A Capability Area is a group of related PAs that can provide improved performance in the skills
and activities of an organization or project. A Capability Area view is a subset of the CMMI that
describes a predefined set of PAs that make up a specific Capability Area. Capability Areas are a
type of a view. Figure 11. Planning and Managing Work Capability Area View illustrates a view
of the Planning and Managing Work Capability Area.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
19
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
20
Figure 12. Categories and Associated Capability Areas shows how the Capability Areas are
organized into the categories.
These category views help to prioritize, organize, and plan resources while focusing attention
on the most critical issues facing the business.
For example:
• Customer satisfaction is both a primary objective and a challenge for most organizations.
The Doing Category provides several sets of best practices to consistently produce and
deliver solutions that satisfy the customer.
• For organizations that want to improve their planning capabilities, or that have problems
consistently planning and managing the work, the Managing Category provides several
sets of best practices to help resolve these issues.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
21
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
22
Figure 13. Practice Area Organization shows a summary view of how CMMI PAs are organized.
Practice Group
Within PAs, the practices are organized into a set of practice group levels labeled Level 1, Level
2, etc. which provide a path for performance improvement.
Each practice group level builds on the previous levels by adding
new functionality or sophistication resulting in increased capability.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
23
Figure 14. Practice Group Level Characteristics provides a brief definition of the practice group
levels.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
24
o What you would expect to see from an organization or project just starting the journey
towards improvement
o Starts to focus on performance issues
• Practice Group Level 2
o Processes are performed in accordance with a recorded project or work level process
description
o Simple, but complete set of practices that address the full intent of the PA
o Does not require the use of organizational assets or standards
o The intent of the set of practices can be met in various ways based on the project
o Identifies and monitors project performance objectives
• Practice Group Level 3
o Processes are performed and managed in accordance with a recorded organizational
level process description
o Uses organizational standards and includes tailoring of processes to address unique
project and work characteristics
o Uses and contributes to organizational assets
o Manages both project and organizational performance
• Practice Group Level 4
o Processes are performed, managed, and analyzed statistically and quantitatively in
accordance with a recorded organizational level process description
o Use of statistical and other quantitative techniques to predict if quality and process
performance objectives will be achieved
o Understands special cause of variation statistically and manages progress against
quality and process performance objectives
• Practice Group Level 5
o Processes are optimized statistically and quantitatively in accordance with a recorded
organizational level process description
o Use of statistical and other quantitative techniques to optimize performance and
enhance the achievement of objectives including business, measurement and
performance, and quality and process performance objectives
o Understands common cause of variation, statistically and manages improvement
against quality and process performance objectives
The order of the practices in each PA and group does not imply or require a sequential order as
performed in a process. Processes that meet the intent of the PAs and practices may be
performed iteratively, in parallel, or in any other order that best meets the needs of an
organization’s business.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
25
Practices
Similar to the structure of the PAs, the practices in the CMMI consists of:
1. Required Practice Information:
• Practice statement
• Value statement: Business value of using this component
• Additional required material that further describes the scope and intent of the practice and
supports clear and consistent understanding and interpretation
2. Explanatory Practice Information:
• Additional Explanatory Information
• Example Activities
• Example Work Products
• Related Practice Areas, as needed
• Context Specific Information (there may be multiple context instances):
o Context specific identifier and description
o Additional informative material
Figure 15. Practice Area Versus Practice Structure provides a summary of required and
explanatory information for Practice Areas and practices.
Language Conventions: In the CMMI Performance Solutions ecosystem, when the term “or”
appears, it is used in the inclusive sense, and can mean both “and” as well as “or”:
• “and” as in “manage plans and activities” can mean managing both plans AND managing
activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
26
Figure 17. Model Content Relationships shows the complete set of relationships between the
categories, Capability Areas, and PAs.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
27
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
28
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
29
Additionally, the architecture supports adding other context specific informative material,
including implementation guidance for domains such as:
• Information Technology
• Cybersecurity
• Healthcare, e.g., medical devices, pharmaceuticals, healthcare providers
• Telecommunications
• Aerospace
• Finance
• Transportation
• Education
• Government
• Hospitality
• Consulting
The architecture also works with and supports other methodologies, standards, or models such
as:
• AS9100
• Automotive SPICE
• COBIT
• ISO
• ITIL
• Kanban
• Lean
• NIST
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
30
Stage one, process execution is ad hoc and undisciplined. Individuals follow their own,
unrecorded processes which result in varied outcomes and prevent systemic organizational
learning. The need for performance improvement might be recognized, the ability to improve is
limited and is only achieved unintentionally.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
31
Stage two, there is conscious realization that processes are ad hoc and unrecorded. The need
for performance improvement is recognized, and basic mechanisms for improvement are
initiated.
Stage three, record processes and establish mechanisms to ensure fidelity of process execution.
Organizational support structures, including consistent senior management oversight,
encourage the continued use of the processes and associated improvements.
Stage four, processes and performance are clearly understood and habitually and persistently
followed. Refer to section Part Three: Process Persistence and Habit. Keys to performance and
process improvement are to:
• Demonstrate visible and active senior management support
Continued and consistent senior management sponsorship is critical to success. Without
constant vigilance, positive pressure, and active support, performance and process
improvement fails. Though providing funding is important, it is not enough. Because
senior management’s most valuable resource is time, people notice where and how
management spend their time and act accordingly. In other words, if senior
management demonstrates they do not pay attention, no one else will.
• Involve the people who do the work
The people who perform a task need to be involved in describing and recording the
process, so it reflects how the work is actually performed. This makes it more likely that
the process is followed and becomes the normal way work is done. If people are not
involved, they typically resist the process and fail to follow it. Active involvement in both
the process and its ongoing improvement leads to pride of ownership and active
support.
• Record the “As Is” first
When recording processes, resist the temptation to record what you think you should be
doing and focus on recording what is currently being done, i.e., the “as is” process. Also,
resist the temptation to improve the process as you record it. Record potential
improvements in a consistent way, so they can be analyzed, prioritized, and addressed
later as a part of the normal improvement process to ensure they positively impact
performance.
• Focus on meeting business objectives
Performance and process improvement initiatives must support the organization’s
business objectives. If an improvement does not trace to the business objectives,
carefully consider whether to implement it. Additionally, align the improvement priorities
with the organization’s priorities. Without this, support for the initiatives fades.
• Communicate, communicate, communicate
People want to know planned changes, how management supports these changes, and
how the change affects them. Expect that people are naturally resistant to change and
tend to go back to what is comfortable. Clear, consistent, and frequent communication
reduces the anxiety that people experience with change. Studies show that a message
must be given multiple times in multiple ways to ensure that it is received and acted on
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
32
by a majority of the people. Lack of communication is typically the number one issue in
employee satisfaction surveys,
Items that communication should cover include:
o What is changed?
o Why it is being changed, e.g., benefits and impacts, and business objectives driving
the change?
o What help is available, e.g., training, mentoring, support materials?
o How can people contribute to success?
o How is success measured?
o What methods are available for providing positive and negative feedback for
improvement?
• Establish a performance improvement infrastructure
The organization needs to ensure funding, resources, tools, training, and support are in
place to manage and champion performance and process improvement. This includes
people with appropriate skills and experience, along with clear responsibility, authority,
and accountability.
• Target the right level of detail
Focus on performance and process improvement, not implementing and deploying the
perfect process. “Do not let perfect be the enemy of good enough.” Process documents
need to be at the right level of detail. Know when you have reached the “good enough”
and then start improving as it is used. When recording processes:
o Record the process at an appropriate and understandable level of detail
o Understand that if the process is too prescriptive, it impacts adoption, and if it is
written too high level, the processes have little value
o Recognize that not every eventuality can be anticipated
o Determine the appropriate level of process control
o Target an 80% solution to record a process, and then rely on continuous improvement
to address the remaining 20% of issues
• Plan and provide training
Upgraded skills are vital for supporting new behaviors and reinforcing desired behaviors.
Training should, at a minimum, cover the full scope of processes and tools for
individuals doing the work.
Providing just-in-time training is also a best practice to ensure that training supports
effective process implementation.
There are many ways to provide effective training:
o Classroom training
o Mentoring
o Formal on-the-job training
o Process walkthrough
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
33
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
34
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
35
Note that the words “CMMI Practices” or “practices” do not appear in Figure 19. Four
Characteristics of Process Habit and Persistence. This is because the focus is on the business
process enduring and continually improving, not on a CMMI practice. This is an important
distinction in the CMMI Performance Solutions.
Governance
Governance (GOV) specifies practices for senior management in support of ways of working
that are relevant and important to the organization.
Visible and active management involvement is critical to the success of performance
improvement and process implementation in an organization. Management accomplishes their
role by:
• Setting the strategy, direction, and expectations for performance improvement
• Providing adequate resources for process and performance improvement
• Ensuring that processes are aligned with business needs and objectives
• Monitoring the performance and achievements of the processes
• Reinforcing and rewarding the development and use of processes to ensure their
continued use and improvement
The GOV practices are applied to processes, and their
implementation and improvement, not to CMMI practices.
Implementation Infrastructure
Implementation Infrastructure (II) describes the necessary infrastructure to build, follow,
sustain, and improve processes over time. The term “infrastructure” in this PA refers to
everything needed to implement, perform, and sustain the organization’s set of processes. The
infrastructure includes:
• Process descriptions
• Resource availability aligned to needs, e.g., people, tools, consumables, facilities, time to
perform
• Funding to perform the processes
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
36
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
37
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
38
Figure 20. High Maturity Foundational Building Blocks provides a summary of all Practice Group
Level 2 and 3 practices that are prerequisites to achieving High Maturity.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
39
Figure 21. High Maturity QPPO Funnel shows the starting place of the pathway for achieving
High Maturity. All organizations have business objectives from which the organization measures
what is most meaningful to building their capabilities and achieving their performance
improvement objectives. Quality and Process Performance Objectives (QPPOs) are traceable to
those business and performance objectives and are the start of the “funnel” for narrowing down
the targets for applying High Maturity.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
40
Figure 22. High Maturity Capability Area and Practice Area Relationships depicts the
relationships of all practice level 4 and 5 practices within the CMMI. While the relationships are
interrelated, it is a one-to-many relationship, all revolving around the organizational processes.
Figure 22. High Maturity Capability Area and Practice Area Relationships
Figure 23. Maturity Levels 2 & 3 Versus 4 & 5 shows some of the key differences in how
processes and objectives are understood and managed between Maturity Levels 2 and 3 and at
Maturity Levels 4 and 5.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
41
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
42
Data quality is an important attribute which enables High Maturity activities. Examples of the
impacts of poor data quality include:
• Inability to conduct hypothesis tests and predictive modeling
• Inability to manage quality and performance
• Inability to meet budget and schedule
• Ineffective process changes
• Improper architecture and design decisions
• Bad information leads to bad decisions
High Maturity organizations:
• Collect, validate, and use data with high quality and integrity throughout the organization
• Use statistical and quantitative methods in their activities to plan and manage progress
against their objectives
• Provide insight into the operation of an organization and its processes based on data and
statistical analyses
• Use the measurement system to understand process performance and variation to:
o Construct Process Performance Baselines (PPBs) to manage work
o Target areas for improvement
o Evaluate the impact of proposed improvement on achieving Quality and Process
Performance Objectives (QPPOs)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
43
o Develop PPBs and Process Performance Models (PPMs) to understand the relationships
among processes and sub-processes and their performance
• Systematically and simultaneously improve quality, schedule, and cost performance with
an in-depth quantitative understanding of the tradeoffs
An example of the importance of High Maturity thinking:
• Based upon past performance, the organization uses a data distribution to show how long
it typically takes to deliver similar features
• A customer would like a feature added in 10 weeks and historical delivery time of similar
features is 9 to 11 weeks
• Determining to accept the work depends on the data distribution shown in Figure 24.
Using High Maturity to Determine if Work Should be Accepted:
o If the distribution is represented by the left chart, most of the time the feature will be
delivered in ten weeks or more
o If the distribution is represented by the right chart, most of the time the feature will
be delivered in less than ten weeks
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
2
ISACA owns all copyright, trademark, and all other intellectual property rights in the CMMI
Content. You may not reproduce, duplicate, copy, sell, resell, assign, transfer, create derivative
works of, incorporate in any software or tool, or commercially exploit any portion of the CMMI
Content, without express written permission by ISACA. You are solely responsible for your use
of the CMMI Content, and agree to defend, indemnify and hold ISACA harmless from any
claims, liability, damages, costs or expenses incurred by ISACA arising from your use of the
CMMI Content.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
3
Level 2........................................................................................................................... 22
CAR 2.1 .............................................................................................................................. 22
CAR 2.2 .............................................................................................................................. 24
Level 3........................................................................................................................... 26
CAR 3.1 .............................................................................................................................. 26
CAR 3.2 .............................................................................................................................. 27
CAR 3.3 .............................................................................................................................. 29
CAR 3.4 .............................................................................................................................. 30
CAR 3.5 .............................................................................................................................. 31
Level 4........................................................................................................................... 33
CAR 4.1 .............................................................................................................................. 33
CAR 4.2 .............................................................................................................................. 34
Level 5........................................................................................................................... 36
CAR 5.1 .............................................................................................................................. 36
CM Overview ................................................................................................................. 37
Level 1........................................................................................................................... 42
CM 1.1 ................................................................................................................................ 42
Level 2........................................................................................................................... 43
CM 2.1 ................................................................................................................................ 43
CM 2.2 ................................................................................................................................ 45
CM 2.3 ................................................................................................................................ 48
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
4
CM 2.4 ................................................................................................................................ 50
CM 2.5 ................................................................................................................................ 52
CM 2.6 ................................................................................................................................ 54
Continuity (CONT) 56
Level 2........................................................................................................................... 60
CONT 2.1 ............................................................................................................................ 60
CONT 2.2 ............................................................................................................................ 61
CONT 2.3 ............................................................................................................................ 63
Level 3........................................................................................................................... 66
CONT 3.1 ............................................................................................................................ 66
CONT 3.2 ............................................................................................................................ 67
CONT 3.3 ............................................................................................................................ 69
DM Overview ................................................................................................................. 72
Level 1........................................................................................................................... 74
DM 1.1 ................................................................................................................................ 74
DM 1.2 ................................................................................................................................ 74
Level 2........................................................................................................................... 77
DM 2.1 ................................................................................................................................ 77
DM 2.2 ................................................................................................................................ 79
Level 3........................................................................................................................... 82
DM 3.1 ................................................................................................................................ 82
DM 3.2 ................................................................................................................................ 84
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
5
DQ Overview ................................................................................................................. 86
Level 1........................................................................................................................... 88
DQ 1.1................................................................................................................................. 88
DQ 1.2................................................................................................................................. 89
Level 2........................................................................................................................... 90
DQ 2.1................................................................................................................................. 90
DQ 2.2................................................................................................................................. 91
DQ 2.3................................................................................................................................. 92
Level 3........................................................................................................................... 94
DQ 3.1................................................................................................................................. 94
DQ 3.2................................................................................................................................. 96
Level 2..........................................................................................................................117
ESAF 2.1........................................................................................................................... 117
ESAF 2.2........................................................................................................................... 119
ESAF 2.3........................................................................................................................... 121
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
10
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
16
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
17
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
18
Intent
Identifies causes of selected outcomes and takes action to either prevent recurrence of
undesirable outcomes or ensure recurrence of positive outcomes.
Value
Addresses causes of issues, eliminating rework and directly improving quality and productivity.
Explanatory PA Information
Practice Summary
Level 1
CAR 1.1 Identify and address causes of selected outcomes.
Level 2
CAR 2.1 Select outcomes for analysis.
CAR 2.2 Analyze and address causes of outcomes.
Level 3
CAR 3.1 Determine causes of selected outcomes by following an organizational
process.
CAR 3.2 Propose actions to address identified causes.
CAR 3.3 Implement selected action proposals.
CAR 3.4 Record causal analysis and resolution data.
CAR 3.5 Submit improvement proposals for changes proven to be effective.
Level 4
CAR 4.1 Perform root cause analysis of selected outcomes using statistical and
other quantitative techniques.
CAR 4.2 Evaluate the effect of implemented actions on process performance using
statistical and other quantitative techniques.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
19
Level 5
CAR 5.1 Use statistical and other quantitative techniques to evaluate other
solutions and processes to determine if the resolution should be applied
to optimize performance across the organization.
Context Specific
Agile Development
Agile teams identify and address blockers and collect Sprint data during the iteration and review
it in the retrospective. A typical agile retrospective reviews what went wrong, what worked well,
and selects improvements for the next Sprint.
For example, a team that is consistently unable to complete the work defined for each Sprint
would look for various causes, such as chronic distractions, using unreliable velocity data,
poorly defined user stories, exceeding team capacity, or underestimating complexity. These
underlying causes would be identified, analyzed, ranked, and addressed.
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop, test,
deploy, release, and keep updated a secure solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
20
DevSecOps teams typically conduct reviews at the end of each iteration based on the
framework or methodology chosen, such as Scrum, Kanban, SaFe, etc. For example, in Scrum,
retrospectives occur at the end of each Sprint. During these retrospectives, teams identify
progress and work impediments or blockers to resolve these during the next Sprint. The
challenge that DevSecOps teams face when performing causal analysis is the perception that
when during a retrospective someone says, “Let’s get to the root of the problem.” This often
means: Who is to blame? This “blame game” is counter to a positive DevSecOps culture. The
target of root cause analysis should be focused on the process and not the people.
The challenge with root cause analysis in modern software development is it may not
consistently address complexity of the software and so often does not provide solutions quickly
enough. In a DevSecOps environment where iterations are short, and Continuous Integration /
Continuous Delivery (CI/CD) pipelines, micro services, containers, etc., are in constant flux,
getting to the root cause is more challenging due to the limitations of data at specific points in
time, and due to the complex interactions between all system components, interfaces or
connections, applications, and environments.
DevSecOps teams typically address causal analysis incrementally, focusing on what is actionable
and can be corrected in the next Sprint. For example, failures in gate-check points in the CI/CD
pipeline could be potential outcomes to initiate analysis, and simple techniques like Five Whys
can be used. Some issues may require multiple Sprints to correct or require collaboration across
multiple DevSecOps teams. For example: the inability to identify errors in the early stages; lack
of team member collaboration, lack of ability to identify vulnerabilities, etc.
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
Causal analysis and resolution activities may include evaluating acquirer processes that interface
or connect with supplier processes. When acquirers and suppliers jointly perform causal
analysis, it can lead to improvement actions such as:
• Supplier improving its processes to conduct the project more effectively
• Acquirer improving its supplier interfaces or connections
• Changes in jointly used tools or technologies
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
21
Level 1
CAR 1.1
Required Practice Information
Practice Statement
Identify and address causes of selected outcomes.
Value
Increases likelihood of achieving business objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
22
Level 2
CAR 2.1
Required Practice Information
Practice Statement
Select outcomes for analysis.
Value
Focuses efforts on the outcomes with the greatest impact on achieving objectives.
Example Activities
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop, test,
deploy, release, and keep updated a secure solution.
Retrospectives are time-boxed activities and because of this, once all issues from the previous
Sprint have been identified, teams typically need to use previously defined criteria to prioritize
and pick their top two to three items for further analysis. Use of criteria is beneficial in helping
uncover and address root causes that can develop into a larger issue in upcoming Sprints and
to prioritize corrective action in upcoming Sprints. It may be several Sprints before the team
addresses all key issues. It also may take several Sprints before the team can determine if their
corrective actions are effective.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
24
CAR 2.2
Required Practice Information
Practice Statement
Analyze and address causes of outcomes.
Value
Reduces cost and time to meet objectives more efficiently.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
25
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
26
Level 3
CAR 3.1
Required Practice Information
Practice Statement
Determine causes of selected outcomes by following an organizational process.
Value
Increases likelihood of meeting objectives by promoting successes and avoiding problems.
Example Activities
CAR 3.2
Required Practice Information
Practice Statement
Propose actions to address identified causes.
Value
Reduces cost and time by preventing negative outcomes or producing positive outcomes.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
28
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
29
CAR 3.3
Required Practice Information
Practice Statement
Implement selected action proposals.
Value
Implements changes that have the most impact on increasing the likelihood of meeting
objectives.
Example Activities
CAR 3.4
Required Practice Information
Practice Statement
Record causal analysis and resolution data.
Value
Records and communicates improvement efforts across the organization, leveraging savings
and increasing productivity.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
31
Example Activities
CAR 3.5
Required Practice Information
Practice Statement
Submit improvement proposals for changes proven to be effective.
Value
Reduces disruptions and rework and allows projects to learn from each other and increase
productivity.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
32
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
33
Level 4
CAR 4.1
Required Practice Information
Practice Statement
Perform root cause analysis of selected outcomes using statistical and other quantitative
techniques.
Value
Improves the likelihood that the project will meet its quality and process performance
objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
34
CAR 4.2
Required Practice Information
Practice Statement
Evaluate the effect of implemented actions on process performance using statistical and other
quantitative techniques.
Value
Maximizes the likelihood of meeting quality and process performance objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
35
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
36
Level 5
CAR 5.1
Required Practice Information
Practice Statement
Use statistical and other quantitative techniques to evaluate other solutions and processes to
determine if the resolution should be applied to optimize performance across the organization.
Value
Leverages improvements across the organization to minimize cost and risk.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
37
Intent
Manages the integrity of work products using configuration identification, version control,
change control, and audits.
Value
Reduces loss of work and increases the ability to deliver the correct version of the solution to
the customer.
Explanatory PA Information
Practice Summary
Level 1
CM 1.1 Perform version control.
Level 2
CM 2.1 Identify items to be placed under configuration management.
CM 2.2 Develop, keep updated, and use a configuration and change
management system.
CM 2.3 Develop or release baselines for internal use or for delivery to the
customer.
CM 2.4 Manage changes to the items under configuration management.
CM 2.5 Develop, keep updated, and use records describing items under
configuration management.
CM 2.6 Perform configuration audits to maintain the integrity of configuration
baselines, changes, and content of the configuration management
system.
External References
Context Specific
Agile Development
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
39
Configuration management processes are used with agile development efforts to maintain the
integrity of work products and deliverables. In an agile development project, the definition of
“done” is also a term that the team typically discusses and decides when conducting Sprint
planning, reviews, and retrospectives, so that the entire team agrees on the criteria for knowing
when the work product or solution is complete. Understanding the definition of “done” is
important to being able to verify and validate that the correct versions are produced and
delivered from each Sprint.
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
Examples of work products that can be placed under configuration management may include:
• Hardware and equipment
• Drawings, diagrams, and mockups
• Product specifications
• Tool configurations
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
40
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop, test,
deploy, release, and keep updated a secure solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
41
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
42
Level 1
CM 1.1
Required Practice Information
Practice Statement
Perform version control.
Value
Increases customer satisfaction by ensuring that the correct solution is delivered.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
43
Level 2
CM 2.1
Required Practice Information
Practice Statement
Identify items to be placed under configuration management.
Value
Reduces risk of rework and verifies that the right version is delivered to the customer.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
44
Example Activities
Context Specific
Safety
Log, track, and manage safety management work products throughout the solution lifecycle.
Develop and keep updated a hazard tracking system with data for each hazard as appropriate
for the solution. Examples of applicable data to include in the hazard status log include:
• Type of hazard
• Solution lifecycle phases affected by the hazard
• Causal factor, e.g., hardware, software, and human
• Effects of the hazard
• Initial risk type and associated risk category
• Risk event and associated risk category
• Hazard mitigation measures
• Action person(s) and organizational element
• Hazard status, e.g., open or closed
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
45
Management of open source components and their security requirements and vulnerabilities is
critical since frequently open source components are abandoned or not updated. This can be
addressed using a Software or Sales Bill of Materials (SBOM), also known as a Software Bill of
Sales (SBOS).
An SBOM enables organizations to effectively track all components in their codebases. Given
that open source components are frequently essential components of application development,
software development teams can use an effective Software Composition Analysis (SCA) tool to
inventory the open source and third-party components in their code.
CM 2.2
Required Practice Information
Practice Statement
Develop, keep updated, and use a configuration and change management system.
Value
Reduces the cost and effort needed to control the integrity of work products and solutions.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
46
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
47
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop, test,
deploy, release, and keep updated a secure solution.
DevSecOps teams use their configuration tools to incrementally build an automated Continuous
Integration / Continuous Delivery (CI/CD) pipeline for the software that spans initial build
through automated releases. A primary benefit of CI is that it saves time during the
development cycle by identifying and addressing issues early. It also reduces the time spent on
bug fixes and regression by providing continuous feedback to the development team, allowing
them to take corrective or preventative action. Automated and built-in configuration audits
during CI help uncover issues in a timely manner. The binary code from the various builds is
stored in their artifact repository along with supporting artifacts and the configuration
management database is used to track the high-level status of all configuration items used.
DevSecOps teams typically use agile project management tools which support agile
methodology and CI/CD configuration management, e.g., JIRA, Confluence, Azure Boards, to
manage change requests through automated workflows and change states. Tools of this type
allow for all information relevant to the change to be captured and used to support decision
making, impact analysis, and communicating with stakeholders on the status of their changes
as it moves through the change process from request to implementation. Configuration of these
tools also needs to be controlled with appropriate change and approval mechanisms. Otherwise,
a poor configuration of an automated test tool, analysis tool, build tool, or security scanner may
identify false errors or allow defects or security vulnerabilities to go undetected.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
48
CM 2.3
Required Practice Information
Practice Statement
Develop or release baselines for internal use or for delivery to the customer.
Value
Ensures the integrity of the work products.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
49
Context Specific
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
CM 2.4
Required Practice Information
Practice Statement
Manage changes to the items under configuration management.
Value
Reduces costs and schedule impacts by ensuring that only authorized changes are made.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
51
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
52
CM 2.5
Required Practice Information
Practice Statement
Develop, keep updated, and use records describing items under configuration management.
Value
Reduces rework through accurate descriptions of the configuration items and status of changes.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
53
Context Specific
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Record, manage, and keep updated key information for data items, e.g., authoritative source,
ownership and governance data parameters, metadata, access and distribution parameters,
privacy classification, security classification, retention parameters.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
54
CM 2.6
Required Practice Information
Practice Statement
Perform configuration audits to maintain the integrity of configuration baselines, changes, and
content of the configuration management system.
Value
Increases customer satisfaction and stakeholder acceptance by ensuring that the customer
receives the agreed-on and correct versions of work products and solutions.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
55
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
56
Continuity (CONT)
CONT Overview
Required PA Information
Intent
Anticipates and addresses disruptions to critical business operations so work can continue or
resume as soon as possible.
Value
Enables continued operation when serious disruptions or catastrophic events occur.
Explanatory PA Information
Practice Summary
Level 1
CONT 1.1 Develop contingency approaches for managing significant disruptions to
operations.
Level 2
CONT 2.1 Identify and prioritize functions essential for continuity.
CONT 2.2 Identify and prioritize resources essential for continuity.
CONT 2.3 Develop, keep updated, and follow continuity plans to resume performing
essential functions.
Level 3
CONT 3.1 Develop and keep updated materials for continuity training.
CONT 3.2 Provide and evaluate continuity training according to the plan.
CONT 3.3 Prepare, conduct, and analyze results from verification and validation of
the continuity plan.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
57
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
58
Context Specific
Safety
Safety hazards and events have the potential to significantly impact or disrupt normal
operations. Monitor safety hazards and events like any other significant disruption when
identifying disaster recovery or other continuity plans, and address safety needs in those plans.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
59
Level 1
CONT 1.1
Required Practice Information
Practice Statement
Develop contingency approaches for managing significant disruptions to operations.
Value
Enables an organization to respond to potential disruptive events or situations and continue to
meet customer needs.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
60
Level 2
CONT 2.1
Required Practice Information
Practice Statement
Identify and prioritize functions essential for continuity.
Value
Enables continued operation of essential functions during an emergency or significant
disruption.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
61
CONT 2.2
Required Practice Information
Practice Statement
Identify and prioritize resources essential for continuity.
Value
Maintains customer satisfaction and continues business operation during an emergency or
significant disruption.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
62
Include essential external resources when identifying resources. This might include defining
succession plans in the event critical resources are incapacitated or otherwise not available
when needed. Other commonly overlooked resources include consumables and vital records,
e.g., documents describing legal or financial obligations.
Identify essential resources by analyzing the:
• Organization’s operations
• Functions essential to continuity
• Agreements and standard operational definitions
• Dependencies among system components, affected stakeholders, and the operational
environment
Common resource dependencies include:
• Internal and external information and data sources
• Key personnel who make decisions or are significant contributors to operations
Essential resources generally fall into one of the following categories:
• Emergency operating resources, e.g., key personnel, equipment, consumables, necessary
to resume disrupted operations
• Legal and financial resources, e.g., contractual documents, essential to protect the rights
and interests of the organization and individuals directly affected by the emergency
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
63
CONT 2.3
Required Practice Information
Practice Statement
Develop, keep updated, and follow continuity plans to resume performing essential functions.
Value
Minimizes impact on customer satisfaction by restoring services quickly.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
64
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
65
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
66
Level 3
CONT 3.1
Required Practice Information
Practice Statement
Develop and keep updated materials for continuity training.
Value
Prepares the organization to perform essential functions in response to catastrophic events.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
67
Example Activities
CONT 3.2
Required Practice Information
Practice Statement
Provide and evaluate continuity training according to the plan.
Value
Maximizes team members’ ability to restore or continue essential functions for the business.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
68
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
69
CONT 3.3
Required Practice Information
Practice Statement
Prepare, conduct, and analyze results from verification and validation of the continuity plan.
Value
Increases confidence and likelihood that the continuity plan is effective to meet requirements
and the operational needs of users.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
70
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
71
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
72
Intent
Identifies, implements, and controls the approach and activities for managing data.
Value
Maximizes operational efficiency by prioritizing critical data activities to meet performance
needs.
Explanatory PA Information
Practice Summary
Level 1
DM 1.1 Identify data management objectives.
DM 1.2 Use metadata to manage data.
Level 2
DM 2.1 Develop, keep updated, and follow a data management approach that is
aligned to objectives.
DM 2.2 Establish a data management architecture to support the data
management approach.
Level 3
DM 3.1 Establish and deploy an organizational data management capability.
DM 3.2 Perform reviews periodically on the effectiveness of the organization’s
data management capability and take action on results.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
73
External References
Level 1
DM 1.1
Required Practice Information
Practice Statement
Identify data management objectives.
Value
Increases probability that data supports achievement of objectives.
Example Activities
DM 1.2
Required Practice Information
Practice Statement
Use metadata to manage data.
Value
Increases accessibility, objectiveness, and usability of critical data.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
75
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
76
Example Activities
Example
Further Explanation
Activities
Define, record, and Metadata may be captured and stored in data models, systems,
use metadata. networks, project documentation, operational documentation, or in lists
of key business terms. Identify sources of existing metadata; evaluate
their completeness, categorization, and properties; and plan to
consolidate and enhance them into a cohesive meta-model reflecting
their needs.
As an example of existing metadata assets which may be leveraged,
sources based on data models typically include the following items:
• Entity type name
• Attribute name
• Table name
• Column name
• Data type
• Length
• Allowed values
• Default values
• Mandatory/Optional indicator
Data definitions should be defined for entity types, attributes, tables,
and columns, and should reflect logical relationships and dependencies
between data elements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
77
Level 2
DM 2.1
Required Practice Information
Practice Statement
Develop, keep updated, and follow a data management approach that is aligned to objectives.
Value
Improves the usability and accessibility of the data to the work.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
78
Example Activities
DM 2.2
Required Practice Information
Practice Statement
Establish a data management architecture to support the data management approach.
Value
Provides an efficient and effective structure for consistently performing data management
activities.
Emphasis should be on critical data sharing needs for the work performed. This may require
streamlining the data layer, for example:
• Redesign and consolidation of data stores
• Reducing data redundancy
• Improving data integration through common interface or connection specifications and
data services
• Defining and enhancing a data technology stack
• Reconciling redundant, incomplete, inaccurate, or missing data
The target data layer should support the data management and data quality objectives and
incorporate data profiling and validation results. This verifies that high-quality, trusted data can
be used to meet critical objectives.
The approach should ensure that the architecture reflects identified legal and regulatory
requirements appropriately. Performance requirements may also impact how the architecture is
designed and realized. For example, complex and distributed cloud architectures may be more
cost effective but may result in degraded performance results.
The architectural approach must be flexible and consider evolving needs, technology
obsolescence, and resulting data migrations. It is important to validate that operations adopt
any architectural transition plans to minimize negative impact. Major impacts to key operational
systems need to be analyzed, and appropriate mitigation strategies must be recorded to ensure
uninterrupted delivery of operational data.
The architectural approach must be reviewed for consistency with relevant needs and
architectural standards and approved before proceeding with design and implementation.
Because the architectural approach requires long-term guidance, it should be kept updated in
response to changing work and environmental conditions.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
81
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
82
Level 3
DM 3.1
Required Practice Information
Practice Statement
Establish and deploy an organizational data management capability.
Value
Increases effective communication, common understanding, and use of data across the
business.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
83
The data glossary is the core of the organization’s data infrastructure. Although it is simple in
concept, it can be a significant challenge to define, reconcile, harmonize, qualify, approve, and
keep updated all shared data terminology. Distinctions between terms employed across the
organization are often not well-defined or recorded, and terms used by work groups often have
assumed or implied meanings that must be resolved.
The data glossary is an approved, governed collection of data term names, definitions,
metadata, and their relationships. This provides a stable foundation for understanding and
integrating data across the organization without ambiguity or duplication.
An approved standard data glossary supports the data architecture. Without it, re-architecting,
consolidation, and effective sharing of corporate data assets are slower, more complex, and
more costly. Development of data stores, consolidations, and designs are often driven by
events, and frequently result in ad hoc naming and definitions of data terms.
Data glossary standards should be developed, followed, and kept updated through data
governance, and corresponding approval and change processes. A proper communication or
feedback loop should be established to ensure that changes and recommendations within the
data terms remain consistent and accurate within the data glossary.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
84
DM 3.2
Required Practice Information
Practice Statement
Perform reviews periodically on the effectiveness of the organization’s data management
program and take action on results.
Value
Enables more reliable, current, and consistent data-based decisions and results.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
85
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
86
Intent
Develops, follows, and keeps updated an approach for implementing data quality standards.
Value
Maximizes the value and accuracy of data for effective business operations and consistent
decision-making.
Explanatory PA Information
Practice Summary
Level 1
DQ 1.1 Identify data quality parameters.
DQ 1.2 Perform data cleansing activities.
Level 2
DQ 2.1 Define criteria for data cleansing.
DQ 2.2 Develop, keep updated, and follow a data quality approach.
DQ 2.3 Perform data cleansing based on criteria and data quality approach.
Level 3
DQ 3.1 Conduct data quality assessments.
DQ 3.2 Perform reviews periodically on the effectiveness of the organization’s
data quality activities and take action on results.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
87
• Ensure that the quality of data meets business purposes and the organization’s strategic
objectives
The data quality approach provides the basis for cleansing data defects to ensure fitness for
intended uses in business operations, decision-making, and planning. A comprehensive data
quality program typically involves:
• Data quality profiling and data quality assessment including activities to assess the data
under management against a set of defined quality objectives
• Implementing repeatable processes for data quality cleansing that reduce effort and
lower costs, enabling the organization to ensure “fit for purpose” data assets
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
88
Level 1
DQ 1.1
Required Practice Information
Practice Statement
Identify data quality parameters.
Value
Increases the consistency and effectiveness of data quality activities.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
89
DQ 1.2
Required Practice Information
Practice Statement
Perform data cleansing activities.
Value
Increases the value and consistency of data across the business.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
90
Level 2
DQ 2.1
Required Practice Information
Practice Statement
Define criteria for data cleansing.
Value
Increases data accuracy to improve consistency and effectiveness of decisions.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
91
DQ 2.2
Required Practice Information
Practice Statement
Develop, keep updated, and follow a data quality approach.
Value
Increases confidence in and reliability of data, enabling more accurate business operations and
enhanced decision-making capability.
Example Activities
DQ 2.3
Required Practice Information
Practice Statement
Perform data cleansing based on criteria and data quality approach.
Value
Increases consistency of data across the organization to improve reliability of decision-making.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
93
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
94
Level 3
DQ 3.1
Required Practice Information
Practice Statement
Conduct data quality assessments.
Value
Increases the consistency, completeness, and accuracy of data used across the organization.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
95
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
96
DQ 3.2
Required Practice Information
Practice Statement
Perform reviews periodically on the effectiveness of the organization’s data quality activities and
take action on results.
Value
Increases efficient use of data across business operations, systems, and processes.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
97
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
98
Intent
Makes and records decisions using a recorded process that analyzes alternatives.
Value
Increases the objectivity of decision-making and the probability of selecting the optimal
solution.
Explanatory PA Information
Practice Summary
Level 1
DAR 1.1 Define and record the alternatives.
DAR 1.2 Make and record the decision.
Level 2
DAR 2.1 Develop, keep updated, and use rules to determine when to follow a
recorded process for criteria-based decisions.
DAR 2.2 Develop criteria for evaluating alternatives.
DAR 2.3 Identify alternative solutions.
DAR 2.4 Select evaluation methods.
DAR 2.5 Evaluate and select solutions using criteria and methods.
Level 3
DAR 3.1 Develop, keep updated, and use a description of role-based decision
authority.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
99
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
100
Context Specific
Agile Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
Efforts in development can use criteria-based decision-making for alternatives that may include:
• Whether to opt for a short-term code fix that would increase technical debt, or a longer-
term solution
• Which design approach to pursue
• Whether to build, buy, or reuse software code
• Whether to invest in automated testing, and to what degree, given the upfront investment
needed
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
The acquirer has the ultimate responsibility for ensuring that the appropriate decision-making
activities are performed. When the supplier is involved in decisions that affect the overall
solution, the acquirer engages with the supplier to provide oversight of the decision process to
meet business needs.
Use a repeatable, criteria-based decision-making process for:
• Critical decisions that define and guide the acquisition process
• Critical decisions made with the selected supplier
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
101
This decision-making process should be consistent with the acquisition strategy. Revisit these
criteria when considering changes or technology additions that affect requirements or other
critical project parameters. A formal process also helps the acquirer and supplier to
communicate decisions.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
102
Level 1
DAR 1.1
Required Practice Information
Practice Statement
Define and record the alternatives.
Value
Reduces potential rework with a clear definition and understanding of the alternatives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
103
DAR 1.2
Required Practice Information
Practice Statement
Make and record the decision.
Value
Provides a clear understanding of rationale and decisions made and avoids constant revisions
and rework.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
104
Level 2
DAR 2.1
Required Practice Information
Practice Statement
Develop, keep updated, and use rules to determine when to follow a recorded process for
criteria-based decisions.
Value
Reduces costs by focusing on the most important decisions.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
105
Context Specific
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
Examples of activities for which you may use a criteria-based decision-making process include:
• Making design implementation decisions when technical performance failure can cause a
catastrophic failure, e.g., safety-of-flight item
• Making decisions with the potential to significantly reduce design risk, engineering
changes, cycle time, response time, and production costs, e.g., to use different
approaches to assess form and fit capability before releasing engineering drawings and
production builds
• Developing new or changing existing requirements resulting in significantly different
alternative architectures or designs
• Make, buy, or reuse components
• Selecting testing tools and environment
• Determining alternative software coding approaches
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Activities that an organization may use a criteria-based decision-making process for include:
• Selecting elements to include in standard service descriptions
• Selecting, terminating, or renewing suppliers
• Selecting personnel training
• Selecting a transition and support approach, e.g., disaster recovery, service levels
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
106
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
DAR 2.2
Required Practice Information
Practice Statement
Develop criteria for evaluating alternatives.
Value
Enables consistent selection of optimal solutions.
Example Activities
DAR 2.3
Required Practice Information
Practice Statement
Identify alternative solutions.
Value
Increases the quality of the solution and customer satisfaction.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
108
Context Specific
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
Suppliers may be needed to provide input to the decision analysis process, e.g., technical
expertise outside of acquirer’s capabilities. The acquirer has the ultimate decision-making
responsibility.
DAR 2.4
Required Practice Information
Practice Statement
Select evaluation methods.
Value
Optimizes the cost, schedule, and performance for the decision being made.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
109
DAR 2.5
Required Practice Information
Practice Statement
Evaluate and select solutions using criteria and methods.
Value
Ensures that the optimal solution is selected.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
110
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
111
Level 3
DAR 3.1
Required Practice Information
Practice Statement
Develop, keep updated, and use a description of role-based decision authority.
Value
Reduces business risk by ensuring the appropriate levels of authority are making and approving
decisions.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
112
Identify and evaluate decisions to modify the decision-making process, roles, or techniques.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
113
Intent
Minimizes and mitigates safety risks within the tolerance parameters and constraints of
operational effectiveness, time, and cost.
Value
Reduces the residual safety hazard risk to an acceptable tolerance level.
Explanatory PA Information
Practice Summary
Level 1
ESAF 1.1 Identify and record safety needs and hazards.
ESAF 1.2 Address prioritized safety needs and hazards.
Level 2
ESAF 2.1 Identify critical safety needs and constraints, keep them updated, and
use to develop and keep safety objectives current.
ESAF 2.2 Develop, keep updated, and follow an approach to address workplace
environment safety.
ESAF 2.3 Develop, keep updated, and follow an approach to address functional
safety for the solution.
Level 3
ESAF 3.1 Establish and deploy an organizational safety capability.
ESAF 3.2 Perform safety evaluations periodically and take action on results.
ESAF 3.3 Develop, keep updated, and follow organizational safety control
strategies.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
114
External References
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
115
Level 1
ESAF 1.1
Required Practice Information
Practice Statement
Identify and record safety needs and hazards.
Value
Minimizes the occurrences and impacts from safety hazards.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
116
ESAF 1.2
Required Practice Information
Practice Statement
Address prioritized safety needs and hazards.
Value
Identifies and mitigates safety hazards to an acceptable level, raising the level of operational
confidence and sustainability.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
117
Level 2
ESAF 2.1
Required Practice Information
Practice Statement
Identify critical safety needs and constraints, keep them updated, and use to develop and keep
safety objectives current.
Value
Verifies that safety needs are effectively aligned with business priorities for performing the
work.
Example Activities
Example Work
Further Explanation
Products
Safety vision A safety vision or mission sets expectations, culture, goals, and
commitments for how the operations and work products address safety
needs and hazards.
Safety objectives
Internal Reinforce safety messages and issues through consistent
communications communication channels. Examples include:
• Internal newsletters
• Quarterly reports
• Emails
Safety strategy Include alignment to goals, objectives, as well as alignment to any
mandates from government officials.
Safety roles and Include identification and management of specific hazard related tasks
responsibilities and role alignment in work.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
119
ESAF 2.2
Required Practice Information
Practice Statement
Develop, keep updated, and follow an approach to address workplace environment safety.
Value
Maximizes safety consistency and efficiency for the workplace and operations.
Example Activities
ESAF 2.3
Required Practice Information
Practice Statement
Develop, keep updated, and follow an approach to address functional safety for the solution.
Value
Maximizes consistency and efficiency to ensure safe operations.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
122
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
123
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
124
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
125
Level 3
ESAF 3.1
Required Practice Information
Practice Statement
Establish and deploy an organizational safety capability.
Value
Improves efficiency in operational environments to minimize safety hazards and issues.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
126
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
127
ESAF 3.2
Required Practice Information
Practice Statement
Perform safety evaluations periodically and take action on results.
Value
Ensures the approach to managing safety remains current, effective, and efficient.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
128
ESAF 3.3
Required Practice Information
Practice Statement
Develop, keep updated, and follow organizational safety control strategies.
Value
Provides common organizational understanding and responsiveness to address and minimize
safety issues.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
130
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
132
Intent
Develops and keeps updated the security approach that includes anticipating, identifying, and
taking actions to avoid or minimize the impacts of security issues on an organization or solution.
Value
Reduces the impact of security threats and vulnerabilities on business performance.
Explanatory PA Information
Practice Summary
Level 1
ESEC 1.1 Identify and record security needs and issues.
ESEC 1.2 Address prioritized security needs and issues.
Level 2
ESEC 2.1 Identify and record security needs, keep them updated, and use to
develop a security approach and objectives.
ESEC 2.2 Develop, keep updated, and follow an approach to address physical
security needs.
ESEC 2.3 Develop, keep updated, and follow an approach to address mission,
personnel, and process-related security needs.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
133
ESEC 2.4 Develop, keep updated, and follow an approach to address cybersecurity
needs.
Level 3
ESEC 3.1 Establish and deploy an organizational security operations capability.
ESEC 3.2 Develop, follow, and implement an organizational security strategy,
approach, and architecture and keep them updated.
ESEC 3.3 Periodically perform security reviews and evaluations throughout the
organization and take action on results.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
134
External References
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
135
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
A fundamental premise of DevSecOps is that teams incorporate security practices and personnel
into the application development process from the start and throughout all subsequent
development efforts with the goal of delivering a secure product. Security is not an
afterthought, a bolt-on at the end of the development lifecycle, or a separate set of unrelated
events. Security is a shared responsibility by everyone on the team. As a result, DevSecOps
teams should include security as a critical element during Design, Development, Delivery, and
Operations. For example, the team should also automate security testing gates where practical
and cover development, test, and production environments. Automating security, like any other
recurring task, is critical to the success of DevSecOps teams.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
136
Level 1
ESEC 1.1
Required Practice Information
Practice Statement
Identify and record security needs and issues.
Value
Minimizes disruption to the work and business operations resulting from security issues.
Example Activities
ESEC 1.2
Required Practice Information
Practice Statement
Address prioritized security needs and issues.
Value
Enables organizations to respond and address the most critical security needs rapidly and
effectively.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
138
Level 2
ESEC 2.1
Required Practice Information
Practice Statement
Identify and record security needs, keep them updated, and use to develop a security approach
and objectives.
Value
Improves an organization’s capability to address ongoing security needs rapidly and
consistently.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
139
Example Activities
ESEC 2.2
Required Practice Information
Practice Statement
Develop, keep updated, and follow an approach to address physical security needs.
Value
Enables organizations to address and resolve physical security needs and issues consistently
and effectively.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
141
• Establishing and maintaining physical facilities and infrastructure, e.g., physical access,
physical access devices, entry and exit including supplier loading and offloading access
points, establishment, and management of Sensitive Compartmented Information
Facilities (SCIFs)
• Limiting physical access to organizational information systems, equipment, and the
respective operating environments to authorized individuals. This may often include using
background checks or ensuring individuals have the appropriate clearance level.
• Enforcing policies regarding safe keeping of Controlled Unclassified Information (CUI) or
other sensitive information. A common occurrence an organization can experience with
physical security is intruders who tailgate their way into a facility for the purpose of
obtaining information. To prevent this from happening, always require employees to wear
badges, provide them with physical security entry and exit tokens or fobs, and train them
to be aware of who is entering the building with them. Report unidentified personnel
within the facility to a security officer on site immediately. In the case that an intruder
does enter your facility, lock down sensitive or CUI data through locking computer and
systems workstations and verifying that it is not out in the open. For example,
implementing a “clean desk” policy requires placement and storage of sensitive data in
locked and fire-proof file cabinets and/or drawers. Another key aspect of physical security
is implementing security surveillance for facilities, especially by the entrances and exits.
• Protecting and monitoring the physical facility and support infrastructure for those
information systems, and the information they control, including verifying and physically
securing networks and the data that resides on and is transported by them
• Defining and improving processes to escort visitors and monitor visitor activity
• Provide security mechanisms, training, and protocols to address protection and security of
human life, such as active shooter drills, fire drills, shelter in place protocols, and actions
needed to address potential impacts of social or civil unrest, e.g., protests, rallies
• Maintaining and reviewing audit logs of physical access
• Controlling and managing physical access devices
• Enforcing safeguarding measures for sensitive information such as CUI at alternate work
sites, e.g., telework sites, including personnel home physical security when personnel
work from their homes
• Communicating and training personnel on physical security policies and approaches
• Establishing visual, audio, and signal perimeters or barriers
• Establishing and maintaining a trained and armed security force
• Establishing aerial or space surveillance
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
142
Example Activities
ESEC 2.3
Required Practice Information
Practice Statement
Develop, keep updated, and follow an approach to address mission, personnel, and process-
related security needs.
Value
Minimizes the impact of security issues on mission and personnel.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
143
• Protecting the assets of the mission through secure design, operations, and management
governance
• Aligning work and work products within mission-relevant laws, regulations, and
requirements
• Applying a risk-based approach to mission security design, guidance, and decisions
• Continuously safeguarding against current and potential threats to the mission
One aspect of personnel security is privacy. Privacy frameworks, such as the U.S. National
Institute of Standards and Technology (NIST) Privacy Framework, can help organizations
manage privacy risks by:
• Taking privacy into account as solutions, systems, products, and services are designed
and deployed that affect employees, customers, and stakeholders
• Communicating with and training personnel in privacy policies and practices
• Encouraging cross-organizational workforce collaboration—for example, among executives,
legal, and Information Technology (IT) through the development of profiles, selection of
tiers, and achievement of outcomes
• Identifying a core set of privacy protection activities and outcomes that allows for
communicating prioritized privacy protection activities and outcomes across an organization
from the executive level to the implementation/operations level. The core includes an
increasingly granular set of activities and outcomes that enable an organizational dialogue
about managing privacy risk.
• Using a profile approach representing an organization’s current privacy activities or desired
outcomes. To develop a profile, an organization reviews all the outcomes and activities in
the core to determine which are most important to focus on, based on business or mission
drivers, data processing ecosystem role(s), types of data processing, and individuals’ privacy
needs. An organization can develop or add functions, categories, and subcategories as
needed. Use profiles to:
o Identify opportunities for improving privacy posture by comparing a current profile
(the “as is” state) with a target profile (the “to be” state)
o Conduct self-assessments and communicate within an organization or between
organizations about how to manage privacy risks
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
144
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
145
ESEC 2.4
Required Practice Information
Practice Statement
Develop, keep updated, and follow an approach to address cybersecurity needs.
Value
Enables an organization to anticipate and more effectively manage and respond to cybersecurity
needs.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
146
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
147
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
148
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
149
Level 3
ESEC 3.1
Required Practice Information
Practice Statement
Establish and deploy an organizational security operations capability.
Value
Increases organizational agility to address security issues more rapidly and effectively.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
150
A SOC acts like the hub or central command post, taking in measurements and data from
across an organization's infrastructure, including its networks, devices, solutions, applications,
and information stores, wherever these assets reside. The complexity of advanced threats
places a premium on collecting context from diverse sources. Essentially, the SOC provides
coordination for all logged events monitored within the organization. The SOC decides how to
manage and address security events. A SOC may consist of multiple security operations teams,
each responsible for monitoring and protecting allocated assets, such as intellectual property,
personnel data, business systems, and brand integrity. Additional security operations activities
may include:
• Policy management and distribution systems
• Compliance monitoring and management tools
• Access management workflow systems
• Vulnerability scanning tools
• Security configuration monitoring tools
Example Activities
Example
Further Explanation
Activities
Identify The security operations function should:
approach, • Gain a complete view of the business threat landscape, including not only
roles, the distinct types of endpoints, servers, devices, and software on
responsibilities, premises, but also third-party services and traffic flowing between these
and tasks assets
required for • Enable a complete understanding of all security tools on hand, and all
operating the workflows in use for operations across the organization
security • Develop and implement an organizational approach to security
function and architecture and operations that addresses the organization’s physical,
keep updated. mission, personnel, process security, and cybersecurity needs
Identify, The security operations function is responsible for:
deploy, • Safeguarding designated devices, processes, and applications
monitor, and • Managing defensive tools to help ensure protection
keep updated Resources may include systems and tools such as:
security • Vulnerability assessment solutions
resources. • Governance, Risk, and Compliance (GRC) systems
• Application and database scanners
• Security information and event management (SIEM) systems
• Intrusion prevention systems (IPS)
• User and entity behavior analytics (UEBA)
• Endpoint detection and remediation (EDR)
• Threat intelligence platforms (TIP)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
151
Example
Further Explanation
Activities
Conduct • Preparation includes security operations team members staying informed
preparation on the newest security innovations, the latest trends in cybercrime, and
and the development of new threats on the horizon. This research can help
preventative inform the creation of a security roadmap that provides direction for the
maintenance. company’s security and cybersecurity efforts going forward, and a
disaster recovery plan that serves as ready guidance in a worst-case
scenario.
• Preventative maintenance includes all actions taken to make successful
attacks more difficult, including regularly maintaining and updating
existing systems; updating firewall policies; patching vulnerabilities; and
whitelisting, blacklisting, and securing applications
Perform Tools used by the security operations function scan the network 24/7 to flag
continuous any abnormalities or suspicious activities. Monitoring the network around
security the clock allows the team to be notified immediately of emerging threats,
monitoring. giving them the best chance to prevent or mitigate harm. Monitoring tools
can include an SIEM or an EDR, the most advanced of which can use
behavioral analysis to “teach” systems the difference between regular day-
to-day operations and actual threat behavior, minimizing the amount of
triage and analysis that must be performed by personnel.
Conduct alert When monitoring alerts from tools, it is the responsibility of the security
ranking and operations function to look closely at each one, discard any false positives,
management. determine how aggressive any actual threats are, and what they could be
targeting. This allows them to triage emerging threats appropriately,
handling the most urgent issues first.
Respond to As soon as an incident is confirmed, the security operations function acts as
threats. first responder, performing actions like shutting down or isolating endpoints,
terminating harmful processes (or preventing them from executing),
deleting files, etc. The goal is to respond to the extent necessary while
minimizing the impact on business continuity.
Conduct After an incident occurs, the security operations team works to identify the
recovery and problem, restore systems, and recover any lost or compromised data. These
remediation activities may include removing and restarting endpoints, reconfiguring
activities. systems and access, or, in the case of ransomware attacks, testing and
deploying backups to avoid the impact of the ransomware. When
successful, this step returns the network to the state it was in prior to the
incident.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
152
Example
Further Explanation
Activities
Manage The security operations function is responsible for collecting, keeping
security updated, and regularly reviewing the log of all network activity and
operations communications for the entire organization. This data helps define a
logs. baseline for “normal” network activity. It can help to reveal the existence of
threats and is used for remediation and forensics in the aftermath of an
incident. Many security operations teams use a SIEM to aggregate and
correlate the data feeds from applications, firewalls, operating systems, and
endpoints - all of which produce their own internal logs.
Conduct In the aftermath of an incident, the security operations team is responsible
security for figuring out exactly what happened including when, how, and why.
incident During this investigation, the security operations team uses log data and
investigation. other information to trace the problem to its source, which helps prevent
similar problems from occurring in the future.
Refine and Cybercriminals are constantly refining their tools and tactics to stay ahead
improve of the industry. The security operations team implements improvements on
security a continuous basis following plans outlined in the security roadmap. This
operations. refinement can also include hands-on practices such as:
• Red-teaming: A red team is a group of offensive security professionals
tasked with using real-life adversarial techniques to help organizations
identify and address vulnerabilities across infrastructure, systems, and
applications, as well as weaknesses in processes and human behavior.
• Blue-teaming: A blue team, typically based in a SOC, is a group of
analysts and engineers responsible for defending organizations from
cyber-attacks through a combination of threat prevention, deception,
detection, and response.
• Purple-teaming: Purple teaming is a security methodology whereby red
and blue teams work closely together to maximize cyber capabilities
through continuous feedback and knowledge transfer. Purple teaming
can help security teams to improve the effectiveness of vulnerability
detection, threat hunting, and network monitoring by accurately
simulating common threat scenarios and facilitating the creation of new
techniques designed to prevent and detect new types of threats.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
153
Example
Further Explanation
Activities
Manage Many of the security operations processes are guided by established best
security practices, but some are governed by compliance requirements. The security
compliance operations team is responsible for regularly auditing their systems to ensure
activities, compliance with such regulations, which may be issued by their
plans, and organization, by their industry, or by governing bodies. Examples of these
processes. regulations include:
• Cybersecurity Maturity Model Certification (CMMC)
• National Institute of Standards and Technology (NIST)
• General Data Protection Regulation (GDPR)
• U.S. Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)
• International Standards Organization (ISO) 27000 series
• International Traffic and Arms Regulations (ITAR)
• Information privacy acts
Acting in accordance with these regulations not only helps safeguard the
sensitive data that the company has been entrusted with, it can also shield
the organization from reputational damage and legal challenges resulting
from a breach.
Develop and The security awareness program may include the following activities:
implement a • Security awareness newsletters
security • Web postings
awareness • Mock phishing emails
program and • Security awareness training
keep it current.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
154
ESEC 3.2
Required Practice Information
Practice Statement
Develop, follow, and implement an organizational security strategy, approach, and architecture
and keep them updated.
Value
Enables an organization to address organizational security needs and issues more rapidly,
consistently, and effectively.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
155
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
158
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps teams, in addition to the technical security architecture, must place particular
emphasis on emerging global cybersecurity and data privacy laws and regulations and
incorporate them into their requirements, solutions, tests, etc. Security should be part of the
criteria considerations for gate-checks in CI/CD pipelines. The organizational security strategy
and approach should either describe or reference all the security needs and policies for solution
architecture that DevSecOps teams should know and follow. For example:
• The U.S. National Institute of Standards and Technology (NIST) Cybersecurity
Framework (CSF) integrates industry standards and best practices to help organizations
manage their cybersecurity risks. It provides a common language that allows personnel at
all levels within an organization, and at all points in a supply chain, to develop a shared
understanding of their cybersecurity risks.
• Cybersecurity Maturity Model Certification (CMMC) is designed to address NIST 800-171
requirements to protect sensitive unclassified information shared by the Department of
Defense (DoD) with its contractors and subcontractors and provide assurance that Federal
Contract Information (FCI) and Controlled Unclassified Information (CUI) is protected at a
level commensurate with the risk from cybersecurity threats, including Advanced
Persistent Threats.
Currently, some of the most prominent data privacy laws and regulations that DevSecOps
teams need to be familiar and comply with are:
• General Data Protection Regulation (GDPR) was developed and passed by the European
Union (EU) in 2018. GDPR identifies requirements for any organization that targets or
collects information related to people in the EU and imposes significant fines for violations.
• Personal Information Protection Law (PIPL) went into effect in 2021 in China,
establishing personal information processing rules, data subject rights, etc.
In the United States, individual states are also starting to develop their own privacy laws that
are modeled after the GDPR. Examples include:
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
159
• California Consumer Privacy Act (CCPA) requires businesses to provide information about
their privacy practices and gives California consumers privacy rights specific to the
personal information collected.
• Virginia Consumer Data Protection Act (CDPA) applies to organizations that conduct
business in Virginia or produce products or services that are targeted to Virginia residents.
• Colorado Privacy Act (CPA) grants Colorado residents the right to access, correct, and
delete the personal data held by organizations subject to the law. It also gives Colorado
residents the right to opt-out of the processing of their personal data.
ESEC 3.3
Required Practice Information
Practice Statement
Periodically perform security reviews and evaluations throughout the organization and take
action on results.
Value
Enables an organization to confirm that the security approach and strategy are working
effectively.
Example Activities
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
161
DevSecOps teams incorporate security reviews and testing throughout each of their
development lifecycle phases and steps. These activities typically include static code analysis
and routine penetration testing in addition to other automated and manual testing processes.
Evaluations should include use of open source in the code repository with clear, objective, and
unambiguous criteria. Teams should consistently follow-through to bring all identified actions to
closure, and verify the actions achieve expected results regarding all security requirements,
vulnerabilities, and constraints.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
162
Intent
Defines and manages an approach for effective virtual work and operations.
Value
Maximizes delivery effectiveness and efficiency while reducing the impact and expense from
travel and in-person activities.
Explanatory PA Information
Practice Summary
Level 1
EVW 1.1 Identify and record virtual work needs and constraints.
EVW 1.2 Perform virtual work.
Level 2
EVW 2.1 Develop, keep updated, and use an approach to perform virtual work.
EVW 2.2 Monitor the virtual work approach and take corrective action when
needed.
Level 3
EVW 3.1 Develop, keep updated, and use an organizational strategy, approach,
and functional capability for performing virtual work.
EVW 3.2 Perform reviews periodically on the effectiveness of the organization’s
virtual work approach and take action on results.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
163
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
It is common for software teams, including DevSecOps teams, to operate remotely and to be
geographically dispersed. This is especially true of global corporations and organizations that
have outsourced their Information Technology (IT) to third parties or that use a follow-the-sun
method to ensure that work is performed during normal work hours anywhere in the world, no
matter the time zone. For these teams, virtual and remote is the standard way work is
performed and usually is supported by an organizationally supported tool suite with automated
workflows.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
164
Level 1
EVW 1.1
Required Practice Information
Practice Statement
Identify and record virtual work needs and constraints.
Value
Minimizes disruptions to virtual work.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
165
EVW 1.2
Required Practice Information
Practice Statement
Perform virtual work.
Value
Reduces costs and increases collaboration effectiveness.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
166
Level 2
EVW 2.1
Required Practice Information
Practice Statement
Develop, keep updated, and use an approach to perform virtual work.
Value
Increases the ability, flexibility, and consistency for virtual work.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
168
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
169
Coordinate with customer and Focus on the prioritized needs and constraints that are
affected stakeholders to critical for each customer or stakeholder group, including
determine and then the needs and constraints for both recipients of virtual work
communicate virtual work and deliverers of the virtual solution. Other aspects include,
needs and constraints. but are not limited to:
• Language
• Need for translation
• Need for identity verification while protecting privacy
information
• Time zone/geographic location of participants
• Duration of virtual sessions
• Cultural
• Physical
• Personnel, staff, e.g., physical and mental endurance and
attention, hearing/visual constraints, use of cameras
• Functional, e.g., breakout rooms, whiteboards
• Logistical, e.g., equipment, headphones, microphones
• Regulatory
• Security, privacy, confidentiality, non-attribution, and
nondisclosure data
• Technical (for platforms/tools), e.g., minimum computing
and operating system requirements for participants and
use cases, functional capabilities needed
• Technical capability of the people performing virtual work
or delivering virtual solutions (recipients and deliverers)
and their administration and access privileges
• Process inputs, activities, and outputs
• Performance, e.g., minimum bandwidth requirements,
interactivity
Identify mitigations, Include statements of relevance of quality, fidelity,
workarounds, and confidentiality, integrity, nondisclosure, and availability for
contingencies for virtual work. the primary approach and functionality, based on
anticipated impact levels for loss.
Identify, evaluate, and rate Evaluate and consistently rate performance, e.g., customer
performance impacts resulting satisfaction, productivity, cost, time to delivery, based on
from use of virtual work leveraging defined scales against impact categories and
technologies. impact levels.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
170
Records of communication
about approach with
customers and affected
stakeholders
List of needs and
constraints and their
mitigation, workarounds,
and contingencies
Virtual work verification,
validation, and
effectiveness evaluation
and results
EVW 2.2
Required Practice Information
Practice Statement
Monitor the virtual work approach and take corrective action when needed.
Value
Increases ability to resolve virtual work issues in a consistent manner.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
171
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
172
Level 3
EVW 3.1
Required Practice Information
Practice Statement
Develop, keep updated, and use an organizational strategy, approach, and functional capability
for performing virtual work.
Value
Reduces cost of virtual activities and improves operational efficiencies.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
173
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
174
EVW 3.2
Required Practice Information
Practice Statement
Perform reviews periodically on the effectiveness of the organization’s virtual work approach
and take action on results.
Value
Increases efficient use of organizational virtual work approaches.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
175
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
176
Estimating (EST)
EST Overview
Required PA Information
Intent
Estimates the size, effort, duration, and cost of the work and resources needed to develop,
acquire, or deliver the solution.
Value
Provides a basis for making commitments, planning, and reducing uncertainty, which allows for
early corrective actions and increases the likelihood of meeting objectives.
Explanatory PA Information
Practice Summary
Level 1
EST 1.1 Develop high-level estimates to perform the work.
Level 2
EST 2.1 Develop, keep updated, and use the scope of what is being estimated.
EST 2.2 Develop and keep updated estimates for the size of the solution.
EST 2.3 Based on size estimates, develop and record effort, duration, and cost
estimates and their rationale for the solution.
Level 3
EST 3.1 Develop and keep updated a recorded estimation method.
EST 3.2 Use the organizational measurement repository and process assets for
estimating work.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
177
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
178
Context Specific
Agile Development
Agile development teams estimate the work during backlog grooming and Sprint planning
sessions:
• Estimates for backlog items are typically a rough order of magnitude
• Some agile development teams develop a comprehensive estimate of work during release
planning for a set of stories or epics
• Estimates for Sprints are typically more refined, allowing the team to understand
commitments
Agile estimation typically includes:
• Size: During backlog review, assign backlog items, such as requirements and user stories,
a relative size using story points. The transformation of user stories into story points
considers the size and complexity of the solution. In addition to story points, agile
development teams may use t-shirt size estimation (small, medium, large, or extra-large).
Often requirements are converted into user stories before estimating is performed.
Complex needs or requirements may be transformed into an epic, which is typically a
large user story that can span more than one Sprint. If the epic spans more than one
Sprint, it is typically broken into smaller user stories.
• Tasks and Effort: During Sprint estimating and Sprint planning, agile development teams
and the product owner collaborate to select user stories off the backlog based on the
priority of the product owner. The team then estimates these user stories using relative
sizing techniques such as story points or t-shirt sizing. Using the team’s known velocity as
a guide, prioritized stories are accepted by all stakeholders into the Sprint. Some agile
teams estimate the task effort in hours for each story based on historical data or other
effort estimation technique.
o Determine how many user stories can be committed to the Sprint when team velocity
is known (story points completed per Sprint)
o Estimate effort at the task level and use the total to determine the amount of work
that can fit into a Sprint based on available capacity
o Use known velocity numbers to make a first estimate of what can be committed to in a
Sprint, and then use task breakdown and effort data to refine and validate the
decision
• Task Assumptions: Discuss and confirm assumptions during Sprint planning events and
review during the retrospective to improve estimates. Record, clarify, and communicate
assumptions during these events.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
179
Examples of agile activities with corresponding estimating descriptions are reflected in Table
EST-2: Example Agile Estimating Activities.
People
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
180
Level 1
EST 1.1
Required Practice Information
Practice Statement
Develop high-level estimates to perform the work.
Value
Addresses work size, cost, and schedule uncertainties to avoid pursuing work that may result in
schedule or budget overruns.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
181
Level 2
EST 2.1
Required Practice Information
Practice Statement
Develop, keep updated, and use the scope of what is being estimated.
Value
Ensures the entire solution is addressed which increases the likelihood of meeting objectives
and avoiding rework.
Example Activities
Gather information to estimate the Includes both resource capacity and availability.
size, effort, cost, resources, and
duration.
Identify constraints, boundaries
and limits of scope.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
182
Context Specific
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
Consider activities associated with the acquisition strategy when determining scope. For
example, a complex project can involve managing multiple supplier agreements with one or
more suppliers.
EST 2.2
Required Practice Information
Practice Statement
Develop and keep updated estimates for the size of the solution.
Value
Enables work tracking and timely corrective actions to deliver the solution on time and within
budget.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
183
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
184
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Context: Use processes to identify, select, and manage suppliers and their agreements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
185
EST 2.3
Required Practice Information
Practice Statement
Based on size estimates, develop and record effort, duration, and cost estimates and their
rationale for the solution.
Value
Enables a better basis for commitments and improves accuracy of the estimates, leading to
better decision-making.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
186
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
187
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
188
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Service estimates should consider the effort and cost associated with delivering the service.
Individual services can have associated workflows or detailed steps that involve points of
communication, evaluation, and decision. Consider these lifecycles when estimating the
requirements to support the delivery of individual services.
Parameters to consider include:
• Service characteristics
• Service system and service system components
• Delivery environment
When estimating effort and cost, include infrastructure resources that support services. For
example:
• Computer workstations
• Power, space, and cooling requirements
• Tools for use by service teams
• Facilities
• Network and communications requirements
• Machinery and equipment
• Support for shift work
Inputs used for estimating effort and cost include:
• Availability of services, by service level, e.g., turnaround time, operational availability
ratio, number of calls the help desk should be able to handle per hour
• Level of security required for tasks, work products, hardware, software, personnel, and
the work environment
• Service and service system requirements
• Service approach
• Size estimates of work products, tasks, and anticipated changes
• Cost of externally acquired products
• Capability of tools provided
• Capability of manufacturing processes
• Experience of service participants
• Proximity of customers, end users, and suppliers
• Technical approach
• Consumables (resources that the service provider needs to replenish or replace before,
during, or after providing a service)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
189
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
The amount of supplier work largely determines the amount of acquirer work required to
manage the project and the supplier. Effort for the acquirer includes effort associated with:
• Defining the project and scope
• Developing the solicitation and supplier agreement
• Managing the agreement and technical activities
• Planning, monitoring, and controlling the project and supplier
• Developing and updating acquisition requirements
The project derives detailed estimates for activities performed by the acquirer and its
stakeholders. The acquirer should include stakeholder representatives to ensure they have
accounted for all technical or service considerations in the estimates. As the work evolves,
revise estimates based on changing conditions or requirements.
Additionally, the acquirer needs to estimate the cost and effort for the acquired solutions.
Estimates should address effort and cost for supplier management and reporting requirements.
The acquirer should review its supplier effort and cost estimates with external individuals to
ensure reasonable estimates.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
190
Level 3
EST 3.1
Required Practice Information
Practice Statement
Develop and keep updated a recorded estimation method.
Value
Maximizes consistency and efficiency for developing accurate estimates and increases the
likelihood of meeting objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
191
Example Activities
EST 3.2
Required Practice Information
Practice Statement
Use the organizational measurement repository and process assets for estimating work.
Value
Increases estimation precision, accuracy, and consistency enabling better decision-making, a
higher likelihood of meeting objectives, and reduced risk.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
192
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
193
Context Specific
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
194
Governance (GOV)
GOV Overview
Required PA Information
Intent
Provides guidance to senior management on their role in the sponsorship and governance of
performance, processes, and related activities.
Value
Minimizes the cost of process implementation, increases the likelihood of meeting objectives,
and verifies that the implemented processes support and contribute to the success of the
business.
Explanatory PA Information
Practice Summary
Level 1
GOV 1.1 Senior management identifies what is important for doing the work and
defines the approach needed to accomplish the objectives of the
organization.
Level 2
GOV 2.1 Senior management defines, keeps updated, and communicates
organizational directives for process implementation and performance
improvement based on organization needs and objectives.
GOV 2.2 Senior management provides funding, resources, and training for
developing, supporting, performing, improving, and evaluating adherence
to processes.
GOV 2.3 Senior management identifies their information needs and uses the
collected information to provide governance and oversight of effective
process implementation and performance improvement.
GOV 2.4 Senior management assigns authority and holds people accountable for
adhering to organization directives and achieving process implementation
and performance improvement objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
195
Level 3
GOV 3.1 Senior management ensures that measures supporting objectives
throughout the organization are collected, analyzed, and used.
GOV 3.2 Senior management ensures that competencies and processes are
aligned with the objectives of the organization.
Level 4
GOV 4.1 Senior management verifies that selected decisions are driven by
statistical and quantitative analysis related to performance and
achievement of quality and process performance objectives.
Context Specific
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Senior Management sponsorship and commitment for managing data must be visible, e.g., in
the definition of process needs, organizational objectives and directives, roles and
responsibilities, resources, participation, involvement, leadership.
Data objectives cannot be met solely by technologies and techniques alone. High quality is the
result of continued scrutiny, shared and communicated across the organization by all
stakeholders. An implementable approach for managing data may require a cultural shift,
obtained by strong support from executive management and sustained through promoting,
educating, and mandating attention to the data assets.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
196
The most effective approach to managing data is visibly and actively endorsed by executive
management and supported by mandatory organizational policy.
People
Develop competency and work empowerment related objectives that support the overall
business objectives. Align workforce competency descriptions with strategic and organizational
directives to achieve a balanced approach for continuous performance improvement.
Safety
Senior Management sponsorship and commitment for safety must be visible, e.g., in the
definition of process needs and objectives, organizational objectives, resources, extraordinary
attention, participation, involvement, and leadership. When commitment for any process starts
at the top, business objectives and goals flow down through the organization. It is important
that Senior Management listens to and acts upon safety issues and concerns raised throughout
the organization. Review safety management objectives and policies periodically with affected
stakeholders and update as necessary.
Security
Senior Management sponsorship and commitment for the security strategy and approach must
be visible, e.g., in the definition of process needs and objectives, organizational objectives,
resources, level of attention, participation, involvement, and leadership. When commitment for
any process starts at the top, business objectives and goals flow down through the
organization. It is important that Senior Management listens to and acts upon security issues
and concerns raised throughout the organization. Review security management objectives and
policies periodically with affected stakeholders and update as necessary.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
197
Level 1
GOV 1.1
Required Practice Information
Practice Statement
Senior management identifies what is important for doing the work and defines the approach
needed to accomplish the objectives of the organization.
Value
Increases the likelihood that the organization implements and improves processes efficiently
and effectively to meet business objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
198
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
199
Level 2
GOV 2.1
Required Practice Information
Practice Statement
Senior management defines, keeps updated, and communicates organizational directives for
process implementation and performance improvement based on organization needs and
objectives.
Value
Increases likelihood of meeting organizational needs and objectives because work is performed
in accordance with senior management’s expectations and priorities.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
200
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
201
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
202
GOV 2.2
Required Practice Information
Practice Statement
Senior management provides funding, resources, and training for developing, supporting,
performing, improving, and evaluating adherence to processes.
Value
Increases the likelihood that senior management’s priorities for improvement will be met.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
204
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
205
GOV 2.3
Required Practice Information
Practice Statement
Senior management identifies their information needs and uses the collected information to
provide governance and oversight of effective process implementation and performance
improvement.
Value
Aligns the information senior management receives with their business needs to increase the
likelihood of meeting business objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
206
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
207
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
208
Example Work
Further Explanation
Products
Senior management The people collecting and reporting the information must
information needs understand its importance and use.
Senior management may not share sensitive or private
information with the organization.
Standard reporting Includes discussion items and expected content identified by
format or agenda for senior management for the review.
review with senior Report templates and tools provide an understandable, easily
management interpreted format for communicating the information identified
for review by senior management.
Reports may be produced periodically or as needed.
Reports focus on the information needs identified by senior
management using defined reporting formats and may include:
• Measures
• Data
• Analysis of data, e.g., trend analysis, objective achievement
analysis
List of measures Includes base and derived measures related to senior
management improvement information needs and objectives.
Review results May include:
• Topics reviewed
• Measures reported
• Decisions made
• Proposed process changes
• Proposed policy revisions
• Results from objective evaluations
• Action items with assignments and due dates
May be provided as:
• Meeting minutes provided to all participants
• Direction from senior management
• Other communication from senior management
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
209
GOV 2.4
Required Practice Information
Practice Statement
Senior management assigns authority and holds people accountable for adhering to
organization directives and achieving process implementation and performance improvement
objectives.
Value
Ensures that directives drive the implementation and improvement of processes to meet
business objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
210
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
211
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
212
Level 3
GOV 3.1
Required Practice Information
Practice Statement
Senior management ensures that measures supporting objectives throughout the organization
are collected, analyzed, and used.
Value
Increases the organization’s ability to successfully deliver its solutions.
Example Activities
Example Work
Further Explanation
Products
Updated organizational
measurement repository
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
213
Example Work
Further Explanation
Products
Status reports, actions, These may:
and decisions • Result from the collection, analysis, and use of measures.
• Be used for performing work relating to performance and
process improvement, solution delivery, etc.
Updated organizational Based on process performance results, consider updates to the
directives and objectives following items:
• Organizational strategy
• Mission statement
• Vision statement
• Policies
GOV 3.2
Required Practice Information
Practice Statement
Senior management ensures that competencies and processes are aligned with the objectives
of the organization.
Value
Improves the capability of the organization to meet its objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
215
Level 4
GOV 4.1
Required Practice Information
Practice Statement
Senior management verifies that selected decisions are driven by statistical and quantitative
analysis related to performance and achievement of quality and process performance
objectives.
Value
Strengthens decision-making by using statistical and quantitative analysis to optimize
organizational performance.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
216
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
217
Intent
Ensures that the processes and assets important to an organization’s performance are
habitually and persistently followed, used, and improved.
Value
Sustains the ability to consistently achieve goals and objectives efficiently and effectively.
Explanatory PA Information
Practice Summary
Level 1
II 1.1 Perform processes that address the intent of the Level 1 practices.
Level 2
II 2.1 Provide sufficient resources, funding, and training for developing and
performing processes.
II 2.2 Develop and keep processes updated, and verify they are being followed.
Level 3
II 3.1 Use organizational processes and process assets to plan, manage, and
perform the work.
II 3.2 Evaluate the adherence to and effectiveness of the organizational
processes.
II 3.3 Contribute process-related information or process assets to the
organization.
Level 4
II 4.1 Develop the organizational capability to understand and apply statistical
and other quantitative techniques to accomplish the work.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
218
Context Specific
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
The approach for managing data is supported by processes that define standards and
guidelines for conducting activities necessary to achieve the relevant goals. Resources for
managing data must be provided, and include personnel with defined roles and responsibilities,
tools, and repositories for data and metadata. Processes and policies should cover the data
lifecycle activities including data profiling, data minimization, data cleansing, data quality
assessment, data retirement, and monitoring activities. These activities can be applied to areas
such as data store consolidations, data warehousing, source to target transformation, data
conversion, etc.
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
219
Robust infrastructure and processes are foundational to any DevSecOps implementation and
necessary to enable continuous deployment. A properly configured infrastructure provides
DevSecOps teams with speed, automation, efficiency, quality, and enhanced cybersecurity.
Invest early in a properly designed DevSecOps infrastructure, and periodically evaluate the
effectiveness and efficiency of the infrastructure and processes to make implementation more
successful and sustainable. Infrastructure as Code (IaC) is an approach used to manage
infrastructure and shift security and test left on the timeline.
Safety
Develop a security strategy and related objectives, consistent with security policies, security
guidelines, procedures, technical security measures, and tools; to protect the infrastructure
where the work products are developed, stored, or delivered. Examples of work products that
require protection include plans, source code, design documents, and solutions. When defining
security objectives, consider confidentiality, integrity, and availability of the work products.
Areas to define include:
• Technical security measures like encryption or network protection
• Physical access control, e.g., locked rooms and physical badge access
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
220
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
221
Level 1
II 1.1
Required Practice Information
Practice Statement
Perform processes that address the intent of the Level 1 practices.
Value
Improves the likelihood that solutions are complete, correct, and timely.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
222
Level 2
II 2.1
Required Practice Information
Practice Statement
Provide sufficient resources, funding, and training for developing and performing processes.
Value
Increases the likelihood of successful process improvement efforts by having sufficient
resources.
Example Activities
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
224
DevSecOps teams require funding for tools and training to enable process automation from
code commit through deployment. These tools enable the team to perform automated code
builds; unit integration, security, and system testing; and establish a continuous integration and
deployment environment. This environment is foundational to enabling the team to perform
Continuous Delivery (CD) or Continuous Deployment. Continuous Development is often
referenced together with Continuous Integration / Continuous Delivery (CI/CD). CI is the
unification of individual components which occurs on a regular basis. Another basic
infrastructure is Continuous Deployment, the automated transfer of software directly into a
production environment. CD relies on rigorous static testing of source code and dynamic testing
of deployable artifacts. DevSecOps teams receive training to gain an understanding of basic
security practices, automated tools, continuous integration, environment configuration, and
operations; and adopt and integrate these practices into their build and deployment processes.
Infrastructure as Code (IaC) is growing in application where code is written to build
infrastructure such as networks and virtual machines. IaC is the managing and provisioning of
infrastructure through code instead of through manual processes. Configuration files are
developed that contain machine readable infrastructure specifications, making IaC the process
of managing and provisioning computer data centers through machine-readable definition files,
rather than physical hardware configuration or interactive configuration tools. It is easier to edit
and distribute IaC configurations rather than physical hardware configuration or manually using
configuration tools.
II 2.2
Required Practice Information
Practice Statement
Develop and keep processes updated, and verify they are being followed.
Value
Minimizes waste by ensuring affected stakeholders focus on the most valuable activities that are
recorded in processes.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
225
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
226
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps teams make extensive use of measures and use tools to develop dashboards that
enable the teams to monitor their performance, verify processes are being followed, and to
evaluate and improve the overall health of their environments and pipelines. Review impacted
processes when new tools are adopted and periodically for consistency. Analyzing verification
results, process adherence, and corresponding measurements enable the organization to target
what process improvements should be made. Retrospectives are an example of where teams
review their processes for their effectiveness.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
227
Level 3
II 3.1
Required Practice Information
Practice Statement
Use organizational processes and process assets to plan, manage, and perform the work.
Value
Leverages organizational learning and use of best practices, leading to reductions in rework and
cost, and increases in efficiency and effectiveness.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
228
Context Specific
People
II 3.2
Required Practice Information
Practice Statement
Evaluate the adherence to and effectiveness of the organizational processes.
Value
Provides insight on potential cost-effective improvements to organizational processes and how
they are used.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
229
Assessing effectiveness of processes and process assets helps keep them relevant to the
business needs and strategy. Analyze processes and process assets periodically. This analysis
helps to understand their strengths and weaknesses and to continually improve them to provide
value to the organization.
Methods for evaluating adherence and effectiveness include:
• Observation
• Evaluations, assessments, or audits
• Interviews
• Analysis of the use of work products and results
Effectiveness includes:
• Ease of use
• Fewer mistakes
• Optimal use of resources
• Timely delivery
• Improved performance
• Increased customer satisfaction
• Capability that meets needs
When assessing effectiveness, some questions that may help are:
• Why are we doing this?
• Who is the target audience?
• Can this be done in a simpler way?
• What is working?
• What is not working?
Process performance measurements can also be used to analyze the effectiveness of a process.
The benefits of a process can be demonstrated by performance improvements such as:
• Meeting objectives
• Reducing costs
• Reducing defects
• Increasing productivity
• Reducing cycle time
• Increasing customer satisfaction
• Increasing market share
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
231
II 3.3
Required Practice Information
Practice Statement
Contribute process-related information or process assets to the organization.
Value
Increases return on investment by improving the organizational processes and process assets.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
232
Context Specific
Safety
Consider the following sources of information for contributing safety process-related information
or process assets to the organization:
• Safety logs
• Safety compliance reports
• Results of applying new safety methods, tools, and controls
• Stakeholder requests and information
• Experiences from performing safety training
• Test results from safety drills
Security
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
233
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
234
Level 4
II 4.1
Required Practice Information
Practice Statement
Develop the organizational capability to understand and apply statistical and other quantitative
techniques to accomplish the work.
Value
Empowers the workforce to use information to make effective changes and meet or exceed
business objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
235
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
236
Intent
Resolves and prevents disruptions promptly to sustain service delivery levels.
Value
Minimizes the impact of disruptions to meet objectives and customer commitments more
effectively.
Explanatory PA Information
Practice Summary
Level 1
IRP 1.1 Record and resolve incidents.
Level 2
IRP 2.1 Develop, keep updated, and follow an approach for incident resolution
and prevention.
IRP 2.2 Monitor and resolve each incident to closure.
IRP 2.3 Communicate incident status.
Level 3
IRP 3.1 Develop, keep updated, and use an incident management system for
processing and tracking incidents and their resolution.
IRP 3.2 Analyze selected incident and resolution data for prevention of future
incidents.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
237
• Identifying and analyzing the underlying causes, e.g., reviewing problems that led to
incidents
• Identifying and implementing workarounds or specific actions that enable continuity of
work
• Identifying and implementing preventative actions for future incidents
• Communicating the status and resolution of incidents to affected stakeholders
• Validating the complete resolution of incidents with affected stakeholders
• Leveraging successful workaround solutions for future events
Incidents are actual or potential events that indicate a negative impact on service delivery.
Organizations should address incidents in a timely and effective manner according to the terms
of applicable customer agreements and requirements. Resolving incidents may result in a
change to the service delivery approach.
Incident resolution and prevention includes developing a process to address incidents reported
by customers, end users, and affected stakeholders.
This process should include recording:
• Recurring incidents and their impact
• Underlying causes of incidents
• Workarounds
Examples of incidents include:
• Interruptions to a service or activity, e.g., website crash for an online store, equipment
failures in a factory, a power outage at a grocery store, a restaurant constantly running
out of a menu item, a concert cancelled because of weather, unusually long delays at an
understaffed call center
• Unacceptable performance, e.g., not delivering an order when promised, an elevator that
is stuck, an airline losing baggage
• Customer complaints
Addressing an incident may involve:
• Minimizing the effect of an incident
• Providing a workaround
• Removing the underlying cause or causes
• Monitoring the condition or series of events causing the incident
It may not make business sense to remove all underlying causes. It may be more effective to
address incidents with workarounds or resolve incidents on a case-by-case basis.
Organizations can expect to reduce the reoccurrence of specific incidents by identifying and
resolving the cause(s) of the incident(s).
The approach to resolving incidents can be as simple as receiving notification of an incident and
communicating the workaround or resolution or it could be as complex as a multi-component
automated system managing multiple inputs and outputs.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
238
Context Specific
Safety
Safety hazards and events have the potential to negatively impact normal operations or service
delivery. Monitor safety hazards and events like any other interruption when identifying their
resolutions or workarounds, and address safety needs within the resolution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
239
Level 1
IRP 1.1
Required Practice Information
Practice Statement
Record and resolve incidents.
Value
Improves the ability to handle unexpected situations and still meet commitments.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
240
Level 2
IRP 2.1
Required Practice Information
Practice Statement
Develop, keep updated, and follow an approach for incident resolution and prevention.
Value
Maintains customer satisfaction by addressing incidents in a consistent and efficient manner.
Example Activities
Example Work
Further Explanation
Products
Recorded incidents Examples of information to record about the incident may include:
and associated • Name and contact information of the person who reported the
information incident
• Description of the incident
• Categories for classifying the incident
• Date and time incident occurred
• Date and time incident was reported
• Incident identifier, e.g., code, number
• Potential or actual cause of the incident
• Functions or groups involved in incident resolution and prevention
• Severity of the incident
• Priority of the incident
• Procedures employed
• Support tools used
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
242
Example Work
Further Explanation
Products
• Conditions and steps to reproduce the incident
Incident criteria and Examples of incident severity typically include:
categories • Likelihood and impact of incidents
o Critical, high, medium, low
o Numerical scales, e.g., 1-5 with 5 being the highest
• Escalation protocols
Incident categories vary depending on the context. For example,
security incident categories may include:
• Probes or scans of internal or external systems, e.g., networks, web
applications, mail servers
• Administrative or privileged access to accounts, applications,
servers, networks, etc.
• Distributed denial of service attacks, web defacements, malicious
code, e.g., viruses, malware
• Insider attacks or other misuse of resources, e.g., password sharing
• Loss of personally identifiable information
Incident resolution Typically includes:
and prevention • Incident resolution and closure criteria
approach • Current and new severity and priority levels
• Categories of actions
• Response and escalation procedures
• Customer-identified acceptable minimum or maximum amounts of
time to resolve an incident
• Roles, responsibilities, and authority for:
o Addressing underlying causes of incidents
o Monitoring and tracking the status of incidents
o Communicating the status of incidents
o Tracking the progress of actions related to incidents
• Escalation procedures
• Internal approvals, as required
• Communication mechanisms that customers and end users can use
to report incidents or used to notify affected stakeholders when one
occurs
Records of
stakeholder reviews
Recorded
workarounds or
responses
Recorded lessons
learned
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
243
Context Specific
Security
Consider the following common six-phase model when developing an approach to address
security incidents:
• Preparation
o How incidents are handled
o Policies
o Warning banners and information within information systems
o Communication plan
o Reporting
o Security incident handling process
o Physical location and equipment
• Identification
o Assigning ownership to an incident
o Verifying the incident
o Establishing chain of custody for evidence
o Determining severity and escalation, as needed
• Containment
o Activating response team
o Notifying stakeholders
o Obtaining agreement on actions impacting availability of services or systems
o Involving the stakeholders
o Obtaining and preserving evidence
o Executing and monitoring action plan
o Managing communications to stakeholders and public, as needed
• Eradication
o Determining signs and causes of incidents
o Identifying location of backups and alternative solutions
o Removing cause(s)
o Improving defenses through implementing protection techniques
o Analyzing vulnerabilities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
244
• Recovery
o Restoring operations
o Validating action plan tasks
o Testing the solutions impacted
o Confirming normal operations
• Lessons learned
o Preparing incident report
o Analyzing issues throughout the incident response effort
o Analyzing threat intelligence
o Identifying improvements
o Communicating report to stakeholders
IRP 2.2
Required Practice Information
Practice Statement
Monitor and resolve each incident to closure.
Value
Maximizes effectiveness of incident resolution to minimize disruptions.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
245
IRP 2.3
Required Practice Information
Practice Statement
Communicate incident status.
Value
Minimizes work disruption by ensuring that affected stakeholders have a common
understanding of the status of the incidents.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
246
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
247
Level 3
IRP 3.1
Required Practice Information
Practice Statement
Develop, keep updated, and use an incident management system for processing and tracking
incidents and their resolution.
Value
Maximizes reuse of information about past incidents to help resolve future incidents and
minimize cost.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
248
IRP 3.2
Required Practice Information
Practice Statement
Analyze selected incident and resolution data for prevention of future incidents.
Value
Increases customer satisfaction by preventing incident recurrence.
Select and analyze incidents using criteria to develop solutions to prevent recurrence. This
activity involves identifying incidents and determining their causes, then making changes to
prevent them.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
250
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
251
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
253
Intent
Manages performance using measurement and analysis to achieve business objectives.
Value
Maximizes business return on investment by focusing management and improvement efforts on
cost, schedule, and quality performance.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
254
Quality and Process Performance Objectives (QPPOs) apply to High Maturity activities using
statistical and other quantitative techniques. These objectives include the use of statistical and
other quantitative techniques on the related data.
Explanatory PA Information
Practice Summary
Level 1
MPM 1.1 Collect measures and record performance.
MPM 1.2 Identify and address performance issues.
Level 2
MPM 2.1 Derive and record measurement and performance objectives from
selected business needs and objectives and keep them updated.
MPM 2.2 Develop, keep updated, and use operational definitions for measures.
MPM 2.3 Obtain specified measurement data according to the operational
definitions.
MPM 2.4 Analyze performance and measurement data according to the operational
definitions.
MPM 2.5 Store measurement data, measurement specifications, and analysis
results according to the operational definitions.
MPM 2.6 Take actions to address identified issues with meeting measurement and
performance objectives.
Level 3
MPM 3.1 Develop, keep updated, and use the organization’s measurement and
performance objectives traceable to business objectives.
MPM 3.2 Follow organizational processes and standards to develop and use
operational definitions for measures and keep them updated.
MPM 3.3 Develop, keep updated, and follow a data quality process.
MPM 3.4 Develop, keep updated, and use the organization’s measurement
repository.
MPM 3.5 Analyze organizational performance using measurement and performance
data to determine and address performance improvement needs.
MPM 3.6 Periodically communicate performance results to the organization.
Level 4
MPM 4.1 Use statistical and other quantitative techniques to develop, keep
updated, and communicate quality and process performance objectives
that are traceable to business objectives.
MPM 4.2 Select measures and analytic techniques to quantitatively manage
performance to achieve quality and process performance objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
255
MPM 4.3 Use statistical and other quantitative techniques to develop and analyze
process performance baselines and keep them updated.
MPM 4.4 Use statistical and other quantitative techniques to develop and analyze
process performance models and keep them updated.
MPM 4.5 Use statistical and other quantitative techniques to determine or predict
achievement of quality and process performance objectives.
Level 5
MPM 5.1 Use statistical and other quantitative techniques to ensure that business
objectives are aligned with business strategy to optimize performance.
MPM 5.2 Analyze performance data using statistical and other quantitative
techniques to determine the organization’s ability to satisfy selected
business objectives and identify potential areas for optimizing
performance.
MPM 5.3 Select and implement improvement proposals based on the statistical and
quantitative analysis of the expected effect of proposed improvements on
meeting and optimizing business, quality, and process performance
objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
256
Objective Explanation
Achieve average initial pass rate of testing to automatic testing. By applying statistical
86%, +/- 10% for automated testing process control to the automated testing, the
per Sprint. organization has been able to significantly reduce
the length of the testing process. Achieving this
QPPO on a per Sprint basis enables the organization
to maintain this level of performance for releases.
In the above examples, the business objectives and measurement and performance objectives
are indicative of processes that meet the intent and value of practices in Practice Groups 1, 2,
and 3. The QPPO example shows the evolution to achieving Practice Groups 4 and 5.
Context Specific
Agile Development
Table MPM-2: Example Agile Measurement Activities provides examples of where measurement
and performance play a role in an agile project.
o Agreed to scale to be used for story points, most commonly using the Fibonacci
sequence
o Identifying and assigning story points to Sprints
o Application of average team Sprint velocity to future Sprints
Typically, agile teams use burndown charts for releases and Sprints to monitor progress and
help assess performance.
Figure MPM-1: Release Burndown Chart & Sprint (Iteration) Burndown Chart
The Release Burndown Chart in Figure MPM-1: Release Burndown Chart & Sprint (Iteration)
Burndown Chart shows the number of story points remaining over time, tracked within each
Sprint, and representing all of the work for a release consisting of several Sprints. The
performance objective of this work is to burn down a target number of story points within a
release within a given timeframe using a set of resources. This chart shows:
• The number of story points completed (“Value delivered”)
• Those points forecasted across all planned Sprints
• All of the planned work for a release
The performance objective of this work is related to the value delivered, and used to help
forecast what might be delivered in future Sprints related to the release.
Measurements are used to track the remaining story points, and the performance analysis
determines any deviation and the associated reason. For example, overcommitting to story
points, or people unexpectedly on sick leave. Actions may be taken, such as postponing user
stories to later releases, adding more resources, or removing impediments.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
258
The Sprint (Iteration) Burndown Chart in Figure MPM-1: Release Burndown Chart & Sprint
(Iteration) Burndown Chart shows the remaining story points that have been forecasted for the
Sprint, which are updated continuously. The performance objective is to complete the planned
stories within the Sprint using a consistent set of resources. The measurement gives the
remaining points to be delivered, and the performance analysis collected through visual
information indicators and daily standups informs the team of any deviation and their reasons,
e.g., the code is difficult to modify. Appropriate actions are taken to remove impediments.
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Identify and leverage measurements to assess the achievement of the objectives for managing
data. Consider a comprehensive approach, across all business units, business processes,
projects, and applications, for measuring and reporting on data quality dimensions that are
important to the project or organization. Analyze the measurement data, including consideration
of error rates and quality thresholds, to assess the effectiveness of the approach for managing
data and take appropriate corrective action when measures indicate data is outside of tolerance
levels, or when there is misalignment with business objectives.
Examples of data measures to consider include:
• Value of metadata management, e.g., link to cost containment, operating efficiency,
process effectiveness
• Performance of key processes and procedures, e.g., frequency of use per attribute,
number of data stores per attribute, quantity of applications per attribute
• Criticality of data attributes to applications, e.g., which are core, for what process, used in
which application, included in which calculation processes
• Costs associated with the movement of data across the lifecycle, e.g., how much is at risk,
especially if the lineage is fragmented
• Tracking progress toward a single authoritative source
• Quality of metadata breadth, depth, scope, availability, timeliness, accuracy, duplication,
conformity, linkages, and clarity
• Metadata metrics, e.g., adoption, percent complete
• Satisfaction of Service Level Agreements (SLAs) regarding platform or technical
performance and capabilities
• Number of data management breaches in comparison to the defined approach
• Percent of roles and responsibilities supporting the governance of data management
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
259
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps teams leverage automated tools and processes to perform their work. This enables
the team to identify process objectives and to collect and analyze a variety of measures to
determine progress against them. Measures are selected and used to achieve a balance
between business needs, process adherence, and effectiveness. Measures are also used by the
team to effectively manage their work and contribute to achievement of business objectives. It
is important to consider the full context of the overall process and activities when analyzing
measurement results. DevSecOps teams use a variety of automated tools to capture significant
amounts of data about the software process from development through deployment and
operations. When determining measures, a DevSecOps team typically considers:
• Reliability
• Security
• Stability
• Performance
• Cost
• Process Lead Time
• Ease of Use
• Continuity
• Deployment Queue Rate
• Consistency
Safety
Every solution is likely to have some level of safety requirements included as part of its design
and operation. These requirements typically include safety objectives and related
measurements that are used to verify that the safety requirements have been addressed.
Security
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
260
Every solution is likely to have some level of security requirements included as part of its design
and operation. These requirements typically include security objectives and related
measurements that are used to verify that the security requirements have been addressed.
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
An acquirer establishes measurement objectives for its activities and work products and for
supplier activities and deliverables. Measurement and analysis of solution components provided
by suppliers is important to effectively manage the quality and costs of the project. Careful
management of supplier agreements can provide insight into data that supports supplier
performance analysis. The supplier agreement should include:
• Measures for the supplier to collect and report
• Data collection processes and timing for the supplier to use
• Expected analysis of supplier data
• Required storage of supplier data
Identify additional measures to track and achieve interface or connection interoperability in
projects where multiple acquired solutions deliver a capability to the end user or where there
are relationships with other projects to acquire joint capabilities.
The acquirer specifies measures to:
• Gauge its own progress and output
• Monitor supplier performance and progress per contractual requirements
• Gain insight into the status of the evolving solutions acquired
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
261
Level 1
MPM 1.1
Required Practice Information
Practice Statement
Collect measures and record performance.
Value
Enables performance management to increase likelihood of meeting objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
263
Context Specific
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
Acquiring organizations need to identify the data needed to provide insight into supplier
activities and performance. The supplier agreement must include any data expected from
suppliers.
MPM 1.2
Required Practice Information
Practice Statement
Identify and address performance issues.
Value
Improves the ability to achieve objectives and increases customer satisfaction.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
264
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
265
Level 2
MPM 2.1
Required Practice Information
Practice Statement
Derive and record measurement and performance objectives from selected business needs and
objectives and keep them updated.
Value
Aligns measurement and performance activities to increase the likelihood of achieving business
results.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
266
• Strategic plans
• Business plans
• Formal requirements or contractual obligations
• Work plans
• Work performance monitoring
• Process improvement plans
• Interviews with senior managers and others who have information needs
• Recurring or persistent issues
• Supplier agreements and contractual requirements
• Experiences of other workgroups or organizational entities
• External industry benchmarks
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
267
Context Specific
People
Identifying and categorizing security measurements help to quantify the potential impact and
severity of the security issues, enabling more timely responsiveness for meeting security
objectives. Examples of security measurement categorization may include:
Information Technology
• Number of systems, servers, and users with known or discovered security issues and
vulnerabilities
• Number of expected or potential issues, threats, and vulnerabilities
• Number and frequency of access issues
• Number of Secure Sockets Layer (SSL) Certificates configured incorrectly
• Frequency of access to critical enterprise systems and solutions by third parties
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
268
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
For objectives defined in supplier agreements, the acquirer defines measures that provide
insight into the performance of suppliers, including the quality of their deliverables.
Measurement objectives focus on acquirer performance, supplier performance, and
understanding the effects on customer, operational, and financial performance. Supplier
measurement objectives help to define and track service level requirements recorded in the
supplier agreement.
Derive measurement objectives needed to:
• Maintain alignment to project objectives and provide results that keep a project on track
to its successful conclusion
• Support the organization’s ability to develop an infrastructure that reinforces and grows
acquirer capabilities, including those related to processes, people, and technologies
• Support the ability to monitor and manage financial results and customer expectations
Review appropriate measurement objectives with potential suppliers throughout the solicitation,
obtaining their feedback and commitment.
Example supplier deliverables include:
• Quality performance data
• Performance against agreed to service levels
• Cost and effort data
Include required supplier deliverables in the supplier agreement.
MPM 2.2
Required Practice Information
Practice Statement
Develop, keep updated, and use operational definitions for measures.
Value
Increases the consistency of measures and the likelihood that business needs and objectives
are met efficiently and effectively.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
270
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
271
There are direct relationships among information needs, measurement and performance
objectives, types, or categories of measurement, base measures, and derived measures. This
direct relationship is depicted using some common examples in Table MPM-4: Example
Measurement Relationships.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
273
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
275
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
The business objectives should drive the measurement selection and use. Business,
organization, and project leaders must decide which measures are operationally meaningful to
the organization, as well as how to implement and use them. Standard operationally defined
measures used by DevSecOps teams typically include:
• Application Change Time: Time between code commit and production deployment. This
measure includes time to build, test, and release an update. When application change
times are shorter, this implies improved development efficiencies.
• Application Deployment Frequency: Number of deployments to production in each
iteration. Lower deployment frequency might be acceptable for a mature product, while
high deployment frequency is common for new or less mature products.
• Availability: Application uptime or downtime in a period. This is an important metric
usually linked to the Service Level Agreement (SLA).
• Change Failure Rate: Number or percentage of failed production deployments that result
in an aborted deployment or rollback. A high change failure rate could indicate a problem
with team skills, deployment process, or understanding and management of the
deployment infrastructure.
• Change Volume: Number of new features or functions deployed in a period. A high
change volume with a low failure rate suggests a high tempo of successful development.
A high change volume with a high failure rate might indicate issues with the DevSecOps.
• Issue Resolution Time: Average time needed to resolve a reported issue. This measures
the time it takes to identify and fix a reported defect or issue.
• Issue Volume: Number of issues reported in a given period, e.g., help desk ticket creation
rate. A high issue volume might indicate customer dissatisfaction or production issues.
• Mean Time To Recovery (MTTR): Time between a failed deployment and full restoration of
production operations. Short MTTR indicates a capable DevSecOps process; longer MTTR
suggests problems.
• Time to Patch: Time between identifying a vulnerability in the application and successful
production patch deployment. This is an indication of the ability of DevSecOps teams to
find and fix defects.
• Time to Value: Time between a feature or function request and the realization of business
value. Most businesses want to minimize time to value.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
276
People
Context: Use processes to deliver, manage, and improve services to meet customer needs.
When selecting measures for managing service capacity and availability, consider supported
activities, reporting requirements, information use. Commitments and agreements should
include the selected measures and analytic techniques. Analysis should include describing the
relationship between identified measures and requirements and deriving objectives that state
specific target measures or ranges to meet for each measured attribute. Capacity and
availability measures should be traced to requirements. Tools needed to support the collection
and analysis of capacity and availability data should be identified, used, and kept updated.
Examples of availability measures include:
• Percentage available within agreed hours (this availability can be overall availability or
component availability)
• Percentage unavailable within agreed hours (this unavailability can be overall
unavailability or component unavailability)
• Duration of downtime due to failure, typically minutes, hours, or hours per week
• Failure frequency
• Degree of effect, e.g., number of affected users, number of minutes that users lost
productivity, number of transactions or vital business functions not processed or carried
out, number of applications impeded
• Response time of the system to incidents, transaction response times, and response times
(as a capacity measure or availability measure)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
277
• Reliability, e.g., number of breaks, mean time between failures, mean time between
incidents
Examples of capacity and availability measures include:
• Use of limited resources
• Use of components
• Unused limited resources
• Unused components
• Throughput, e.g., number of concurrent users, number of transactions to process
• Queue length (maximum and average)
• Number of a type of resource or one or more specific resources in use a selected number
of times (this use can be monitored by calendar time)
Table MPM-5: Example Service Measurement Relationships depicts some common examples of
measurement relationships in the context of services.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
278
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
The acquirer uses defined supplier measures and measures of acquirer progress and output to
manage the project. Define measures needed to manage the acquirer’s performance objectives,
some of which need to be provided by suppliers. Incorporate the measures that suppliers collect
and report in the supplier agreement and service level agreements.
Define acceptance criteria to enable the intended use of supplier measures, such as potential
aggregation and analysis. These criteria should include criteria associated with the collection
and transfer mechanisms and procedures that the supplier performs. Consider all supplier
measure characteristics that can affect their use, such as differences in financial calendars used
by different suppliers.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
279
The supplier may provide measures as detailed measurement data or measurement reports.
Align measures that come from suppliers with the acquirer’s acceptance criteria for supplier
measures. Record acceptance criteria in measurement specifications or checklists.
MPM 2.3
Required Practice Information
Practice Statement
Obtain specified measurement data according to the operational definitions.
Value
Improves decisions and increases the likelihood of successfully completing projects.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
280
Context Specific
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
Obtain derived measures from the supplier as defined in the supplier agreement. The acquirer
should ensure the supplier agreement specifies supplier data requirements for frequency,
accuracy, and consistency. Follow up with suppliers if data is not available or data integrity
checks indicate potential data errors.
Use acceptance criteria to verify:
• The results of data integrity tests conducted by the supplier
• The integrity of the supplier data
Example supplier deliverables include:
• Base and derived supplier measurement data sets
• Results of data integrity tests of supplier measurement data
• Supplier data collection frequency
• Regulatory and statutory compliance data
MPM 2.4
Required Practice Information
Practice Statement
Analyze performance and measurement data according to the operational definitions.
Value
Provides insight into performance and actions needed to meet objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
281
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
282
Context Specific
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
The supplier agreement should specify supplier requirements for analyzing measurement data,
including the definition and examples of measures the supplier must provide to the acquirer.
Example measurement analysis activities acquirers can perform with suppliers include:
• Discussing results and preliminary conclusions with suppliers
• Coordinating additional analyses with suppliers
• Reviewing initial results related to supplier progress or output with suppliers and
determining if revisions are appropriate based on their response
• Updating data acceptance criteria for supplier measures
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
283
MPM 2.5
Required Practice Information
Practice Statement
Store measurement data, measurement specifications, and analysis results according to the
operational definitions.
Value
Enables analysis of performance to improve the likelihood of repeating successes.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
284
Example Activities
Context Specific
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
The acquirer protects measurement data provided by the supplier according to the supplier
agreement. The supplier agreement might specify that the acquirer must restrict access to a
supplier’s measurement data.
Information stored includes data acceptance criteria for supplier data.
The supplier agreement specifies:
• Measurement data the supplier must provide to the acquirer
• The format the supplier should use for providing data to the acquirer
• How the supplier will collect and store measurement data, e.g., retention period of data
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
285
• How and how often the supplier will transfer data to the acquirer
• Who has access to data
• Regulatory requirements
• Provisions for handling proprietary data
Develop mechanisms to transfer measurement data and process guidance from the supplier to
the acquirer. The acquirer can integrate data collection from a supplier with periodic monitoring
and review of supplier activities. In the supplier agreement, the acquirer should specify the
applicable standard report formats and tools the supplier will use for reporting.
Review data collection and storage procedures with suppliers throughout the life of the
agreement. Update data collection and storage procedures, as needed, and obtain supplier
commitment to collect and store measurement data and reference procedures in the supplier
agreement.
MPM 2.6
Required Practice Information
Practice Statement
Take actions to address identified issues with meeting measurement and performance
objectives.
Value
Enables the ability to meet performance objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
286
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
287
Level 3
MPM 3.1
Required Practice Information
Practice Statement
Develop, keep updated, and use the organization’s measurement and performance objectives
traceable to business objectives.
Value
Optimizes resource usage to improve business success.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
288
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
289
MPM 3.2
Required Practice Information
Practice Statement
Follow organizational processes and standards to develop and use operational definitions for
measures and keep them updated.
Value
Enables consistent collection, understanding, and use of organizational measurement and
performance data to improve performance and increase likelihood of success.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
290
MPM 3.3
Required Practice Information
Practice Statement
Develop, keep updated, and follow a data quality process.
Value
Ensures that use of the measurement and performance data results in better decision-making.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
291
MPM 3.4
Required Practice Information
Practice Statement
Develop, keep updated, and use the organization’s measurement repository.
Value
Supports informed decisions leading to more successful projects through timely access to
measurement and performance data.
• Support analysis
The measurement repository:
• Contains project, process, and performance measures that are related to the
organization’s set of standard processes.
• Contains or refers to the information needed to understand, interpret, and assess
measures and performance for reasonableness and applicability.
• Contains up-to-date and correct information. Maintaining the repository is important since
objectives and related measures and performance change over time.
Example Activities
MPM 3.5
Required Practice Information
Practice Statement
Analyze organizational performance using measurement and performance data to determine
and address performance improvement needs.
Value
Contributes to business success through the analysis and improvement of performance.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
294
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
295
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
When determining performance needs for services, develop, keep updated, and use models,
thresholds, and targets for supporting capacity and availability management to keep the work
on track to meet objectives.
Capacity and availability management may include developing service system representations
used for delivering the solution and using these representations for:
• Supporting negotiation of appropriate agreements
• Planning
• Making decisions
• Considering corrective actions
• Providing and allocating resources to meet current and future requirements
These representations provide insight into the behavior of a service system given specific work
volumes and varieties. These representations can be built using diagrams; spreadsheets;
commercial off-the-shelf (COTS) tools, e.g., simulation packages; prototypes; or tools
developed in house. For some service delivery systems, the representations are historical
baselines; trend analyses; analytical models; analysis of waiting times in queues; simulation
models; statistical models, e.g., regression models, time series models; causal models, e.g.,
probabilistic networks; or application sizing.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
297
MPM 3.6
Required Practice Information
Practice Statement
Periodically communicate performance results to the organization.
Value
Enhances coordination and understanding of performance and improvement value to reduce
waste and increase the likelihood of achieving objectives.
Example Activities
Example Work
Further Explanation
Product
Performance May include:
improvement and • Contextual information or guidance to help interpret analysis results
analysis reports • Discussion and interpretation of results
• Usage of results
• Performance improvement results from projects
• Effect on satisfying measurement and performance objectives
• Aggregation to the business level
• Effect on satisfying business objectives
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
298
Level 4
MPM 4.1
Required Practice Information
Practice Statement
Use statistical and other quantitative techniques to develop, keep updated, and communicate
quality and process performance objectives that are traceable to business objectives.
Value
Establishes realistic quality and process performance objectives enabling better decision-
making, increasing the likelihood of meeting business objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
299
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
300
Context Specific
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
Examples of Quality and Process Performance Objectives (QPPOs) using derived targets include:
• Maintain a code review rate between 75 to 100 lines of code per hour
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
301
• Keep test rate over a specified number of test cases per day
• Maintain productivity in generating use cases per day
• Keep design complexity (fan-out rate) below a specified threshold
MPM 4.2
Required Practice Information
Practice Statement
Select measures and analytic techniques to quantitatively manage performance to achieve
quality and process performance objectives.
Value
Focuses measurement and management activities on the data that provide the most insight into
achieving the objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
302
MPM 4.3
Required Practice Information
Practice Statement
Use statistical and other quantitative techniques to develop and analyze process performance
baselines and keep them updated.
Value
Enables quantitative understanding of performance and capability to ensure that objectives can
be met.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
304
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
305
Example Activities
MPM 4.4
Required Practice Information
Practice Statement
Use statistical and other quantitative techniques to develop and analyze process performance
models and keep them updated.
Value
Reduces cost and increases quality by predicting likelihood of meeting objectives and allowing
for early corrective action.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
307
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
309
MPM 4.5
Required Practice Information
Practice Statement
Use statistical and other quantitative techniques to determine or predict achievement of quality
and process performance objectives.
Value
Facilitates a quantitative understanding of risks to achieving objectives which maximizes
likelihood of success.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
310
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
312
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
313
Level 5
MPM 5.1
Required Practice Information
Practice Statement
Use statistical and other quantitative techniques to ensure that business objectives are aligned
with business strategy to optimize performance.
Value
Minimizes waste and rework through a more accurate understanding of capability which
increases the likelihood of setting and meeting reasonable objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
314
MPM 5.2
Required Practice Information
Practice Statement
Analyze performance data using statistical and other quantitative techniques to determine the
organization’s ability to satisfy selected business objectives and identify potential areas for
optimizing performance.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
315
Value
Identifies areas that pose the greatest risk to achieving business objectives or greatest
opportunity for increasing business performance.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
316
MPM 5.3
Required Practice Information
Practice Statement
Select and implement improvement proposals based on the statistical and quantitative analysis
of the expected effect of proposed improvements on meeting and optimizing business, quality,
and process performance objectives.
Value
Increases likelihood that selected improvements will significantly contribute to achieving
business, quality, and process performance objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
317
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
320
Intent
Identifies the security threats and vulnerabilities that could compromise the organization or
solution, analyzes the potential impacts, and defines and takes actions to address and mitigate
them.
Value
Increases an organization’s capability and resilience to identify, mitigate, and recover from
threats and vulnerabilities.
Explanatory PA Information
Practice Summary
Level 1
MST 1.1 Identify and record security threats and vulnerabilities.
MST 1.2 Take actions to address security threats and vulnerabilities.
Level 2
MST 2.1 Develop, keep updated, and follow an approach for handling security
threats and vulnerabilities.
MST 2.2 Develop and keep updated criteria to evaluate security threats and
vulnerabilities.
MST 2.3 Use recorded criteria to prioritize, monitor, and address the most critical
security threats and vulnerabilities that arise during operations.
MST 2.4 Evaluate and report the effectiveness of the approach and actions taken
to address critical security threats and vulnerabilities to the solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
321
Level 3
MST 3.1 Develop, keep updated, and follow an organizational security strategy,
approach, and architecture to evaluate, manage, and verify threats and
vulnerabilities.
MST 3.2 Analyze security verification and validation results to ensure accuracy,
comparability, consistency, and validity across the organization.
MST 3.3 Evaluate effectiveness of the organizational security strategy, approach,
and architecture for addressing security threats and vulnerabilities.
Level 4
MST 4.1 Employ threat intelligence analysis to develop and improve the solution
security approach and architecture, and to select security solutions to
address threats and vulnerabilities, using statistical and other quantitative
techniques.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
322
External References
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
323
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Context: Use processes to identify, select, and manage suppliers and their agreements.
As with other phases within a solution lifecycle, ensure acquisition and supplier management
activities also address security risk assessments. During any phase of acquiring solutions,
security concerns including threats and vulnerabilities must be considered and addressed. This
includes performing risk assessments to identify mitigations, which may impact already elicited
solution requirements or security activities defined in the processes. Ensure that the security
risk and opportunity management plan for the supplier’s solution or solution components, the
security risk assessment, and mitigation plans address vulnerability and threat impacts when
performing supplier management activities.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
324
Level 1
MST 1.1
Required Practice Information
Practice Statement
Identify and record security threats and vulnerabilities.
Value
Minimizes the potential negative impact on the project or solution.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
325
MST 1.2
Required Practice Information
Practice Statement
Take actions to address security threats and vulnerabilities.
Value
Mitigates the potential negative security impact on the solution and work.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
326
Level 2
MST 2.1
Required Practice Information
Practice Statement
Develop, keep updated, and follow an approach for handling security threats and vulnerabilities.
Value
Enables an organization to rapidly prioritize and address security issues in a consistent manner.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
327
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
328
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
329
MST 2.2
Required Practice Information
Practice Statement
Develop and keep updated criteria to evaluate security threats and vulnerabilities.
Value
Enables the impact of threats and vulnerabilities to be evaluated in a consistent and efficient
manner.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
330
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
331
MST 2.3
Required Practice Information
Practice Statement
Use recorded criteria to prioritize, monitor, and address the most critical security threats and
vulnerabilities that arise during operations.
Value
Ensures that limited resources are applied to the most critical threats and reduces the security
vulnerabilities of the solution.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
332
MST 2.4
Required Practice Information
Practice Statement
Evaluate and report the effectiveness of the approach and actions taken to address critical
security threats and vulnerabilities to the solution.
Value
Verifies the approach remains effective to meet current business needs and prevent further
negative impact.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
333
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
334
Level 3
MST 3.1
Required Practice Information
Practice Statement
Develop, keep updated, and follow an organizational security strategy, approach, and
architecture to evaluate, manage, and verify threats and vulnerabilities.
Value
Minimizes the impact of threats and vulnerabilities to the organization.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
335
Verify and validate the security architecture to ensure that the organizational security strategy,
approach, and structure fulfill the needs of the organization.
Analyze and evaluate the results of these verification and validation activities to resolve issues
and determine additional relevant corrective actions.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
336
MST 3.2
Required Practice Information
Practice Statement
Analyze security verification and validation results to ensure accuracy, comparability,
consistency, and validity across the organization.
Value
Provides unbiased security risk information and verifies the quality and consistency of a robust
approach.
Example Activities
MST 3.3
Required Practice Information
Practice Statement
Evaluate effectiveness of the organizational security strategy, approach, and architecture for
addressing security threats and vulnerabilities.
Value
Enables alignment between the security strategy, approach, and architecture; and facilitates a
comprehensive perspective across all organizational security elements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
339
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
340
Level 4
MST 4.1
Required Practice Information
Practice Statement
Employ threat intelligence analysis to develop and improve the solution security approach and
architecture, and to select security solutions to address threats and vulnerabilities, using
statistical and other quantitative techniques.
Value
Enables advanced understanding and capability to predict and prevent security threats and
vulnerabilities more rapidly and effectively.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
341
• Understanding both special cause and common cause of variation for security processes
and solutions
• Identifying and removing special cause of variation to address security stability and to
address and improve common cause of variation to meet the QPPO
The security organization may rely on intelligence analysis as one form of collecting information.
However, simply reviewing collected security threat and vulnerability information alone does not
qualify as threat intelligence analysis. Effective threat intelligence analysis enables the
organization to predict and prevent potential security threats and vulnerabilities. To help
conduct effective intelligence analysis, organizations engage an intelligence analyst or team of
analysts who are primarily responsible for the analysis, processing, and distribution of strategic,
tactical, and predictive intelligence, and take preventive action. These analysts are integral to
providing the organization with comprehensive and actionable threat intelligence information
about hostile forces and potential threat areas. They collect information from a wide range of
individuals and sources to connect the similarities of their knowledge, creating a shared truth
for the organization.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
342
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
343
Intent
Provides an understanding of the project progress so appropriate corrective actions can be
taken when performance deviates significantly from plans.
Value
Increases the probability of meeting objectives by taking early actions to adjust for significant
performance deviations.
Explanatory PA Information
Practice Summary
Level 1
MC 1.1 Record task completions.
MC 1.2 Identify and resolve issues.
Level 2
MC 2.1 Track actual results against estimates for size, effort, schedule,
resources, knowledge and skills, and budget.
MC 2.2 Track the involvement of identified stakeholders and commitments.
MC 2.3 Monitor the transition to operations and support.
MC 2.4 Take corrective actions when actual results differ significantly from
planned results and manage to closure.
Level 3
MC 3.1 Manage the project using the project plan and the project process.
MC 3.2 Manage critical dependencies and activities.
MC 3.3 Monitor the work environment to identify issues.
MC 3.4 Manage and resolve issues with affected stakeholders.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
344
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
345
Context Specific
Agile Development
In Figure MC-1: Monitoring Agile Development, each of the activities in the development flow
provide opportunities for monitoring progress and are reviewed during the retrospective. For
example, during the daily stand-up, individuals report on progress and blockers, providing
overall status information. During the Sprint retrospective, the team reviews progress made
from the last Sprint and adjusts future Sprints and epics to account for actual versus planned
velocity.
Typical monitoring practices for agile teams, e.g., stand-up meetings, visual information
management, is reported using:
• A burndown chart (refer to Figure MC-2: Burndown Chart) showing the number of story
points remaining, tracked within each Sprint, and representing all of the work for a release
typically consisting of several Sprints. A burndown chart is updated daily indicating the
time needed to complete the work committed for the Sprint.
• Visual information in Kanban boards or other tracking tools indicate the current state of
team performance, and related factors that can impact performance or progress
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
346
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
The production of approaches for managing data to meet relevant needs of the organization is
not a once-and-done activity. Once developed, the execution of the approach and the changing
needs of the business must be closely monitored and regularly evaluated to ensure the
approach meets the business needs for quality. As shortfalls are identified or gaps are
discovered, the approaches must evolve, which may involve changes of focus or adjustments to
ongoing projects.
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
347
DevSecOps teams use automated tools to monitor their DevSecOps pipelines and collect and
assess key information about application use to discover trends and identify problem areas.
DevSecOps teams monitor their infrastructure resources, network transport, applications and
microservices, containers, interfaces or connections, gate-check points, endpoint behavior, and
security event logs to take actions when needed. This approach allows teams to “shift left” to
earlier stages in development and minimize broken production changes.
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
Develop monitoring and control functions early in the project during planning when defining the
supplier management strategy.
Monitor and control activities are essential throughout the supplier management process to
ensure:
• Application of appropriate resources
• Acquirer activities progress according to plan
After selecting one or more suppliers and establishing agreements, the acquirer continues to
monitor and control its activities and work products. At the same time, the acquirer monitors
and controls supplier progress and performance for effects to the overall effort.
Define supplier progress and performance reporting requirements in the supplier agreement
consistent with the needs of the contract.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
348
Level 1
MC 1.1
Required Practice Information
Practice Statement
Record task completions.
Value
Enables the team and senior management to make better decisions to achieve objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
349
MC 1.2
Required Practice Information
Practice Statement
Identify and resolve issues.
Value
Supports prevention of uncontrolled cost and schedule creep.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
350
Level 2
MC 2.1
Required Practice Information
Practice Statement
Track actual results against estimates for size, effort, schedule, resources, knowledge and skills,
and budget.
Value
Identifies significant deviations so more effective corrective actions can be taken which
increases the likelihood of meeting objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
351
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
352
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Monitoring and analyzing capacity and availability can help identify the need for corrective
actions to prevent service interruption and service system failure.
Record the use of each resource including the use of each resource by each component, e.g.,
the extent or degree of use by each component for a given resource. Analyze the effect of
failures to align capacity and availability.
Monitor the use of resources during unexpected increases in demand to determine whether
corrective actions are needed. Examples of corrective actions include:
• Adjustments to resources provided
• Adjustments to thresholds
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
353
• Adjustments to descriptions of the normal use of service resources and service system
performance
Identify the need for corrective actions:
• Based on monitoring and analyzing capacity and availability
• In response to service incidents, change requests, changes to service requirements
(current and future)
• To improve service system performance or prevent breaches of the service agreement
Monitor the service system to detect or prevent the failure of components that affect service
system availability. At a minimum, monitor availability. Monitor other quality attributes if
appropriate based on the type of service, development, or acquisition provided. For many
service systems, it may also be appropriate to monitor other quality attributes such as reliability
and maintainability. Monitor the resilience of the service system to service component failure
and identify the impacts of specific failures on service system availability.
Activities to monitor capacity and availability of service systems may include:
• Monitoring the use of resources against thresholds, descriptions of normal use, and
service system performance
• Estimating future changes, either growth or reduction, in resource use
o Methods and tools for estimating service system behavior include trend analysis,
analytical modeling, simulation modeling, baseline models, and application sizing
o Resource usage growth estimates can be based on collected capacity and availability
data, projected requirements, and service system representations
• Communicating the analysis of results on performance objectives and their impact on
capacity and availability
o Capacity and availability reports can be regular or ad hoc. If helpful, simplify reporting
by using databases with automated reporting features. Follow organizational reporting
standards. When they exist, use standard tools and techniques to integrate and
consolidate information in the reports.
o Information should be appropriate to the audience and understandable, and it may
need to address multiple perspectives. These perspectives can include business, end
user, customer, or provider. Agreements can define the reported information, to whom
it should be delivered, and how it is provided, e.g., format, detail, distribution, media.
o Availability is typically reported as a percentage. If required, in addition to reporting
availability, report on reliability, e.g., reliability of the service or service system
components, maintainability, and other quality attributes.
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
354
Track resource commitments that result in expenditures, e.g., issued purchase orders and
completed, accepted supplier deliverables, when the organization incurs the expense. Track
resource commitments even before formal payment, to account for financial and legal
obligations. Monitor commitments that do not result in expenditures, e.g., allocation of
resources or skill sets.
Example supplier deliverables include:
• Supplier progress and performance reports
• Records of significant deviations from plans or processes
• Cost performance reports
MC 2.2
Required Practice Information
Practice Statement
Track the involvement of identified stakeholders and commitments.
Value
Manages stakeholder involvement critical to successful work completion.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
355
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
o Performance reports
o Resource use reports
o Resource use projections
o Availability reports
MC 2.3
Required Practice Information
Practice Statement
Monitor the transition to operations and support.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
356
Value
Ensures expected benefits are obtained by smooth solution transitions and successful
implementations.
Example Activities
Context Specific
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
Typically, the supplier has a role in integrating and packaging solutions and preparing for the
transition to operations and support, including support for business user acceptance. The
acquirer monitors these supplier activities. The supplier request package and the supplier
agreement set the expectations of the supplier and the acceptance criteria to transition to
operations and support.
Example supplier deliverables include:
• Training materials and supporting work products
• Site readiness reports
• Verification reports
• Training records
• Operational readiness reports
• Test results
• Pilot results
The acquirer makes adequate provisions to operate the acquired solution through the supplier
agreement or in-house operations and support organizations. Typically, the supplier develops
training for the solution.
MC 2.4
Required Practice Information
Practice Statement
Take corrective actions when actual results differ significantly from planned results and manage
to closure.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
358
Value
Manages corrective actions to increase the probability that objectives will be met.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
359
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
360
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Work group level monitoring and control or measurement and analysis can adequately cover
some monitoring of service system operation. This can include managing and controlling other
operationally-oriented quality attributes associated with service delivery, such as:
• Capacity
• Availability
• Responsiveness
• Service Level Agreement performance
• Usability
• Reliability
• Maintainability
• Safety
• Security
o Monitoring for security breaches, correcting vulnerabilities, and controlling access to
services
o Ensuring that the service provider only delivers approved services, as specified in the
service agreement, to authorized personnel
However, some services can require monitoring and data collection at the level of individual
service requests or continuously within the scope of a single service request. Such monitoring
can require its own tools to handle data collection, analysis, and reporting appropriately. These
tools are often automated. Perform low-level monitoring of service system components using
monitoring and data collection tools as appropriate.
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
The acquirer has the sole responsibility for taking corrective actions when either the acquirer or
supplier implementation results deviate from plan.
The acquirer determines, e.g., by monitoring measurement data, whether supplier progress is
sufficient to meet a service level defined in the supplier agreement. If the supplier’s progress is
not sufficient, the acquirer initiates and manages corrective action with the supplier. If the
supplier does not comply appropriately with this corrective action, the acquirer escalates the
issue for resolution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
361
Level 3
MC 3.1
Required Practice Information
Practice Statement
Manage the project using the project plan and the project process.
Value
Ensures necessary activities are performed which reduces rework and improves the likelihood of
achieving objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
362
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
363
When managing the project, consider the critical dependencies of service delivery and service
performance, such as:
• Timing of shipments
• Service delivery activities
• Service delivery schedules
• Operating procedures
• Service requests identified in service agreements
• Service delivery performance and measurements
• Locations of facilities for service delivery
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
MC 3.2
Required Practice Information
Practice Statement
Manage critical dependencies and activities.
Value
Manages critical dependencies to significantly reduce risk and increase the likelihood of meeting
objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
364
Example Activities
Context Specific
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
The supplier agreement provides the basis for managing supplier involvement in the project.
Supplier agreements, e.g., interagency and intercompany agreements, memoranda of
understanding, memoranda of agreement, that the acquirer makes with stakeholder
organizations provide the basis for stakeholder organization involvement. These stakeholder
organizations can be solution providers or recipients. These agreements are particularly
important when the acquirer’s project produces complex integrated solutions.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
365
MC 3.3
Required Practice Information
Practice Statement
Monitor the work environment to identify issues.
Value
Ensures objectives are met by providing an effective, safe, and healthy work environment.
Example Activities
MC 3.4
Required Practice Information
Practice Statement
Manage and resolve issues with affected stakeholders.
Value
Resolves issues early, increasing the likelihood of meeting objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
368
Context Specific
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
369
Intent
Develops the skills and knowledge of personnel so they perform their roles efficiently and
effectively.
Value
Enhances individuals’ skills and knowledge to improve organizational work performance.
Explanatory PA Information
Practice Summary
Level 1
OT 1.1 Train people.
Level 2
OT 2.1 Identify training needs.
OT 2.2 Train personnel and keep records.
Level 3
OT 3.1 Develop and keep updated the organization’s strategic and short-term
training needs.
OT 3.2 Coordinate training needs and delivery between the projects and the
organization.
OT 3.3 Develop, keep updated, and follow organizational strategic and short-
term training plans.
OT 3.4 Develop, keep updated, and use a training capability to address
organizational training needs.
OT 3.5 Assess and report the effectiveness of the organization’s training
program.
OT 3.6 Record, keep updated, and use the set of organizational training records.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
370
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
371
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
372
Context Specific
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Consider requirements, processes, and risks when identifying training needs relevant to
managing data. Ensure training needs are aligned to roles and responsibilities involved in
managing data.
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Consider affected stakeholders of the service system for organizational training activities.
Affected stakeholders include customers, end users, provider personnel, senior management,
external suppliers, and anyone else who is engaged with the service system. Develop, keep
updated, and follow training plans that include the appropriate forms of training and
communications to affected stakeholders. Training for affected stakeholders can vary greatly
based on the complexity of the service system, scope of transition changes to the service
system, and the knowledge and skills of the stakeholders.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
373
Level 1
OT 1.1
Required Practice Information
Practice Statement
Train people.
Value
Increases likelihood of meeting objectives by ensuring individuals have needed skills and
knowledge.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
374
Level 2
OT 2.1
Required Practice Information
Practice Statement
Identify training needs.
Value
Reduces costs by providing training needed to perform the work.
Example Activities
Context Specific
Safety
Consider safety requirements, awareness, and risks when identifying training needs. Ensure
safety-related roles and responsibilities are aligned to training needs.
Security
Consider security requirements, awareness, and risks when identifying training needs. Ensure
security-related roles and responsibilities are aligned to training needs.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
376
OT 2.2
Required Practice Information
Practice Statement
Train personnel and keep records.
Value
Avoids training people who already have the needed knowledge and skills. and verifies that
people get the training needed to perform their work.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
377
Level 3
OT 3.1
Required Practice Information
Practice Statement
Develop and keep updated the organization’s strategic and short-term training needs.
Value
Maximizes the likelihood of meeting objectives by ensuring that the organization has skilled
individuals now and in the future.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
378
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
379
OT 3.2
Required Practice Information
Practice Statement
Coordinate training needs and delivery between the projects and the organization.
Value
Ensures efficient and effective allocation of training resources.
Example Activities
Context Specific
People
OT 3.3
Required Practice Information
Practice Statement
Develop, keep updated, and follow organizational strategic and short-term training plans.
Value
Increases effectiveness and efficiency of task performance.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
382
OT 3.4
Required Practice Information
Practice Statement
Develop, keep updated, and use a training capability to address organizational training needs.
Value
Ensures personnel have the knowledge, skills, and abilities to perform their work efficiently and
effectively.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
383
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
385
Context Specific
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Consider training needs for individuals relative to managing data. Establish mechanisms to
ensure all individuals are aware of the principles, processes, regulations, and guidelines, e.g.,
how to access and use the data glossary for managing data.
Strong data practices often require Subject Matter Experts (SMEs) for execution. These experts
are trained and, where appropriate, certified in their specific discipline. Career paths and
professional growth plans should be established to ensure that personnel have the means to
improve and sharpen their skills for the benefit of the organization. Skilled personnel resources
are valuable assets of the organization, and their skills and competencies should be identified,
formally recognized, and leveraged across the organization. This helps to guide others with less
training, supports consistency of practices across the organization, strengthens legal and
regulatory compliance regarding an organization’s data, and facilitates persistent and habitual
performance of sound activities for managing data.
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
Leveraging the DevSecOps concepts, there is a focus to automate as much of the process as
possible. Organizations with DevSecOps teams need to tightly couple their development process
and technical training to ensure the teams have adequate skills needed to build and maintain an
automated Continuous Integration / Continuous Delivery (CI/CD) process using the tools
provided by the organization efficiently and effectively. Technical training on the organization’s
tool suite needs to be scheduled on a recurring basis to account for personnel turnover and to
stay current with updates to tools and environments. Tool guidelines may be kept updated at
the team level to support operational tool use. Mentoring within the team is also an effective
training approach. The organization should also focus on improving soft skills to improve
collaboration between the operations and development teams.
Safety
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
386
Identify topics that require safety awareness training for a broader audience versus more
technical, in-depth safety training. Determine the most effective delivery approach for each type
of training, e.g., internal versus external and classroom versus computer-based training (CBT).
Establish mechanisms to ensure safety training and related materials remain consistent with
industry, e.g., consistent with laws, considerate of technology changes, and organization
information. Ensure content of safety training materials incorporates safety topics and
attributes, recognizing and addressing issues, emergency safety procedures, and scenarios.
Security
Identify topics that require security awareness training for a broader audience, versus more
technical, in-depth security training. Determine the most effective delivery approach for each
type of training, e.g., internal versus external and classroom versus computer-based training
(CBT). Establish mechanisms to ensure security training and related materials remain consistent
with industry, e.g., consistent with industry trends, considerate of technology changes, and
organization information. Ensure content of security training materials incorporates all aspects
of security relevant to the organization, e.g., physical security, standards and processes, access
control, customer data, solution functionality, and security considerations of third-party
systems.
OT 3.5
Required Practice Information
Practice Statement
Assess and report the effectiveness of the organization’s training program.
Value
Keeps the training program relevant and valuable to the business.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
387
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
388
OT 3.6
Required Practice Information
Practice Statement
Record, keep updated, and use the set of organizational training records.
Value
Records are essential in determining how well the training program supports the achievement
of business and performance goals.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
389
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
390
Intent
Identifies and addresses process performance and work product issues through reviews by the
producer’s peers or Subject Matter Experts (SMEs).
Value
Reduces cost and rework by uncovering issues or defects early.
Explanatory PA Information
Practice Summary
Level 1
PR 1.1 Perform reviews of work products and record issues.
Level 2
PR 2.1 Develop and keep updated procedures and supporting materials used to
prepare for and perform peer reviews.
PR 2.2 Select work products to be peer reviewed.
PR 2.3 Prepare and perform peer reviews on selected work products using
established procedures.
PR 2.4 Resolve issues identified in peer reviews.
Level 3
PR 3.1 Analyze results and data from peer reviews.
Context Specific
Agile Development
Examples of where peer reviews can be performed in an agile project typically include:
• Backlog grooming
• Reviewing completed stories during each iteration with product owner
• Use of paired, team, or mob programming during each iteration
• Pull requests
• Design, test plans, test cases, and code work products reviews
Results from peer reviews are often captured in automated tools.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
392
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps teams typically use a mix of automated and manual code reviews to maintain
software quality. Often static code analysis tools are used to detect and correct common coding
mistakes and vulnerabilities based on criterion setting in the tool. The team can adjust these
settings over time as they learn more about their code and understand trends or false positives.
Another critical review required in DevSecOps is the configurations of the tools itself. The
choices on customization can easily leak defects and vulnerabilities. Hence Peer Reviews on the
pipeline setup configurations, automation scripts, etc. are important for DevSecOps. Several
popular tools are available to perform this type of analysis. DevSecOps teams also incorporate
static application security testing to identify security vulnerabilities and hotspots into their
Continuous Integration / Continuous Delivery (CI/CD) pipeline. Security vulnerabilities typically
involve an immediate threat or risk to operations and hence require continuous focus on
security hotspots where presence of security sensitive code may require a manual peer review
to take immediate action. These manual peer reviews are typically accomplished as part of a
design or code review request and use a set of coding standards and secure coding practices to
evaluate the code for defects or vulnerabilities.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
393
Level 1
PR 1.1
Required Practice Information
Practice Statement
Perform reviews of work products and record issues.
Value
Improves work product quality and reduces cost and rework by uncovering issues early.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
394
Level 2
PR 2.1
Required Practice Information
Practice Statement
Develop and keep updated procedures and supporting materials used to prepare for and
perform peer reviews.
Value
Maximizes efficiency and effectiveness of finding issues in peer reviews.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
395
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps teams establish their automated code review criteria through the tool setting they
are using for their static code analysis. These settings are often part of the procedure/process
embedded in the Continuous Integration / Continuous Delivery (CI/CD) systems and pipeline;
those automated procedures should include defining a periodic frequency for re-evaluating the
review criteria in the tool, which code and items are subject to manual code review, and the
types of tests the tools perform. Periodic reviews and verifications of the criteria and procedures
in the tool are performed on a periodic and as needed basis. Additional manual code reviews
serve as a manual gate-check for code changes before merging them to the trunk branch. This
helps ensure quality and security by preventing developers from working in a vacuum and
makes the team aware of project status and progress. Once the code review is completed, the
issues addressed, and the code is merged into the trunk branch, a build is initiated as part of
the CI/CD pipeline where additional unit tests are run, and issues resolved. DevSecOps teams
leverage lean development practices with the goal of making small commits and frequent
merges. This typically results in multiple daily code pull requests. Incorporating peer reviews
with pull requests addresses issue resolution in a more timely and effective manner in line with
a shift left approach.
PR 2.2
Required Practice Information
Practice Statement
Select work products to be peer reviewed.
Value
Manages costs by targeting critical work products for peer review.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
396
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
397
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps teams perform design reviews prior to development and then code review on all
their code as part of the code pull request process and Continuous Integration / Continuous
Delivery (CI/CD) pipeline as they are sequenced in the planned agile epics and Sprints. The
CI/CD pipeline and tool setup are in the plan and should include clear criteria for which code is
subject to automated reviews and tests, which is covered by a manual review, and how peer
review comments and actions are captured and resolved.
PR 2.3
Required Practice Information
Practice Statement
Prepare and perform peer reviews on selected work products using established procedures.
Value
Reduces cost by thorough and consistent review to detect work product issues.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
398
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
Through the tools and embedded criteria in them, DevSecOps teams determine which code or
work products are manually peer reviewed and when and how these reviews are conducted.
Collectively between the Continuous Integration / Continuous Delivery (CI/CD) pipeline, tools,
criteria, and settings, the team uses these to:
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
399
• Validate requirements
• Verify that coding standards and code review criteria are followed
• Describe which types of tests the tools perform
Manual code reviews are typically performed as part of a code pull or code review request and
use a set of coding standards and secure coding practices to evaluate the code for defects or
vulnerabilities. Paired programming and other techniques can also be used to address code
quality. Action items for addressing peer review issues are then parsed into the automated tools
or made directly in the code.
PR 2.4
Required Practice Information
Practice Statement
Resolve issues identified in peer reviews.
Value
Reduces rework, costs, and increases quality.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
400
Level 3
PR 3.1
Required Practice Information
Practice Statement
Analyze results and data from peer reviews.
Value
Increases the efficiency and effectiveness of the process for performing peer reviews.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
401
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps teams periodically perform reviews of their analysis tool settings and criteria based
on analysis results to minimize false positives, improve code quality, and adjust to changes in
the application environment or emerging threats and vulnerabilities. Static code analyzers and
dashboards can also be used for analysis. Analysis results from these techniques are typically
covered during Retrospectives to enable the team to avoid or prevent recurrence.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
402
Planning (PLAN)
PLAN Overview
Required PA Information
Intent
Develops plans to describe what is needed to accomplish the work within the standards and
constraints of the organization.
Value
Optimizes cost, functionality, and quality to increase the likelihood of meeting objectives.
o Services
o Solutions and deliverables
o Resources
o Capacity and availability
o Service or service system performance
o Availability
• Determining corrective actions to ensure appropriate capacity and availability while
balancing costs against resources needed and supply against demand
Explanatory PA Information
Practice Summary
Level 1
PLAN 1.1 Develop a list of tasks.
PLAN 1.2 Assign people to tasks.
Level 2
PLAN 2.1 Develop and keep updated the approach for accomplishing the work.
PLAN 2.2 Plan for the knowledge and skills needed to perform the work.
PLAN 2.3 Based on recorded estimates, develop, and keep the budget and
schedule updated.
PLAN 2.4 Plan the involvement of identified stakeholders.
PLAN 2.5 Plan transition to operations and support.
PLAN 2.6 Ensure plans are feasible by reconciling estimates against capacity and
availability of resources.
PLAN 2.7 Develop the project plan, ensure consistency among its elements, and
keep it updated.
PLAN 2.8 Review plans and obtain commitments from affected stakeholders.
Level 3
PLAN 3.1 Use the organization’s set of standard processes and tailoring guidelines
to develop, keep updated, and follow the project process.
PLAN 3.2 Develop a plan and keep it updated using the project process, the
organization’s process assets, and the measurement repository.
PLAN 3.3 Identify and negotiate critical dependencies.
PLAN 3.4 Plan for the project environment and keep it updated based on the
organization’s standards.
Level 4
PLAN 4.1 Use statistical and other quantitative techniques to develop and keep the
project processes updated to enable achievement of the quality and
process performance objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
404
Context Specific
Agile Development
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
405
Figure PLAN-1: Agile Planning provides a summary view of a typical agile development
workflow:
• Product Owner: The product owner gathers inputs from all affected stakeholders to
organize and prioritize user stories into epics and Sprints to address the product backlog.
• Product Backlog: A prioritized collection of user stories, epics, and Sprints that represent
the entire set of known requirements. Stories in the product backlog are often not yet
estimated and are typically developed by the product owner, with assistance from
business analysts and other team members.
• Sprint Planning Meeting: During this meeting, the collection of user stories or epics
selected for the Sprint is estimated and further broken down into tasks by the agile team.
The Sprint backlog is a forecast of what the team believes can be accomplished during the
Sprint.
• Team members “self-subscribe” to user stories and commit to completing them during the
Sprint. Responsibility for each story is usually recorded on a task board and can be
redistributed as needed to manage the workload of the team. This information is used to
provide input to schedule and budget planning.
o Schedule: Each Sprint has a fixed duration, usually two to four weeks, and the
collection of Sprints defines the total anticipated release schedule.
o Budget: Agile teams typically adhere to a fixed team, fixed time-box model that, when
examined in aggregate, helps to identify key drivers of the project’s budget.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
406
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Define the data lifecycle that aligns to the business process, including traceability from the
creation or acquisition of the data source to the target. Consider the following data lifecycle
phases and scope the boundaries based on the approaches for managing data:
• Business Direction, e.g., data requirements, creation, acquisition
• Development, e.g., architecture, design
• Implementation, e.g., physical architecture
• Deployment, e.g., insertion into the operational environment
• Operations, e.g., data transformations, usage, performance, maintenance
• Retirement, e.g., decommissioning, archiving
Throughout the data lifecycle, as needed, obtain agreement from stakeholders regarding the
data elements and authoritative data sources.
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
Most engineering disciplines can benefit from project planning practices and include examples
such as:
• Software development
• Hardware development
• Systems development
• Manufacturing or product lines, such as in:
o Developing and maintaining core assets, e.g., components, tools, architectures,
operating procedures, software
o Supporting the use of core assets
o Developing each individual system from core assets
o Coordinating the overall effort of developing, using, and improving the core assets
• Construction and maintenance
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
407
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps teams build on agile planning principles, and in addition consider and address
additional security requirements and constraints. DevSecOps is directly dependent on having
consistent and repeatable agile development processes in place. One key consideration that
should be addressed in planning is when developers will be using Free Open-Source Software
(FOSS) as part of their software builds or incorporating third-party software in their product. If
FOSS or third-party software is used, then planning should address:
• How developers are trained to protect the software they are writing from FOSS risks and
supply chain attacks
• The mechanisms in place for developers to make them aware of existing vulnerabilities in
a timely manner; this would include a list of the known vulnerabilities in the software they
are planning to reuse or incorporate into their code, such as a Software Bill of Materials
(SBOM)
• The processes and tools needed to detect and remove these vulnerabilities
• Identification of work arounds, mitigation strategies, and continuity response plans that
can be implemented if an attack through one of these vectors should occur
• Any licensing or copyright considerations or restrictions on their use
People
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
408
Plan safety activities considering dependencies between safety components and any other
activity that could be affected. Ensure that related impacts are identified and managed with
planned safety activities. Integrate safety activities into the project plan and schedule, to the
greatest extent possible, while taking into consideration requirements of regulatory agencies.
Security
Determine the necessary security controls, based on the organization’s security criteria. Identify
and plan security activities, resources, and process assets, e.g., guidelines, templates, and
tools; required to meet the necessary security level. This includes:
• Identify the necessary security posture
• Tailor the security activities and process assets for the work according to the security level
• Identify needed security resources and training to perform the work
Integrate the security activities and process assets within the overall work plan, including
consideration of security resources and knowledge needed to perform the security activities.
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Responding to service requests may require detailed, frequently revised plans for allocating
resources to tasks and managing the task queue, e.g., assigning repair jobs in a maintenance
shop. Consider these low-level operating plans as an extension of the overall service plan.
When planning for transitions in services or service system components, e.g., archival of a
service, upgrade technology and account for all operational and support activities affected by
the transition. Typically, organizations record this information in a transition plan. When
planning for services, consider plans for service continuity.
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
Planning for supplier management is based on the acquisition strategy. The acquisition strategy
is a guide for directing and controlling the work, and a framework for integrating activities
essential to acquiring an operational solution. When needed, a supplier management approach
should be developed and included as part of the planning activities and may include such items
as:
• Availability of assets and technologies
• Supplier management objectives and constraints
• Consideration of supplier selection and management methods
• Potential supplier agreement types and terms
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
409
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
410
Level 1
PLAN 1.1
Required Practice Information
Practice Statement
Develop a list of tasks.
Value
Ensures that the work needed to meet customer requirements is identified to increase customer
satisfaction.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
411
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
When providing a service, it is important to know and list what resources are available for
performing the tasks needed to deliver the service. Identify needed and available resources to
understand where the service may use resources. This can also help identify where shortages
may occur. Unrecognized shortages may cause the organization to miss business objectives.
Activities can include:
• Developing the task list
• Developing a list of needed resources by task
• Developing a list of the available resources
The task list may include a high-level description of the tasks that need to be performed to
meet requirements or agreements. Include:
• Resource identifiers, e.g., a labor category for a human resource
• Descriptions of needed skills for the personnel resources, e.g., human resources, training,
professional certifications
• Descriptions of needed equipment, tools, or facilities
PLAN 1.2
Required Practice Information
Practice Statement
Assign people to tasks.
Value
Ensures that tasks will be performed to meet requirements and satisfy the customer.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
412
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
413
Level 2
PLAN 2.1
Required Practice Information
Practice Statement
Develop and keep updated the approach for accomplishing the work.
Value
Maximizes project success by keeping the affected stakeholders focused on accomplishing their
specific objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
414
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
415
Context Specific
Agile Development
For agile projects, Figure PLAN-2: Agile Development Lifecycle Phases shows the most common
phases of an agile development lifecycle. Each agile iteration follows these basic phases. In
general, agile iterations or Sprints are two to four weeks.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
416
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
Larger development projects can contain multiple phases, such as concept exploration,
development, production, operations, and disposal. A development phase can include
subphases such as requirements analysis, design, fabrication, integration, and verification. The
determination of project phases typically includes selection and refinement of one or more
development models to address interdependencies and appropriate sequencing of the activities
in the phases.
Depending on the strategy for development, there can be intermediate phases for the
development of prototypes, increments of capability, or spiral model cycles. In addition, include
explicit phases for startup and close-out as needed.
Security
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
417
Most aspects of security are addressed multiple times within a solution lifecycle, but in general, the
earlier in the lifecycle that security is addressed, the less effort and cost is ultimately required to achieve
the same level of security. Software development in particular can introduce many security vulnerabilities.
However, few software development methodologies or lifecycles explicitly address software security in
detail, so secure software development practices must be added to each phase of the lifecycle to ensure
that the software being developed is well-secured. For more information, refer to NIST Special Publication
800-218, Secure Software Development Framework.
Figure PLAN-3: Development Lifecycle with Security Integration provides an example of
integrating security into a typical solution development lifecycle. While not all activities related
to security are reflected, this graphic provides some of the most common considerations for
integrating related processes. Additional security requirements and objectives should be
considered during estimating, planning, and monitoring.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
418
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
The service approach can play various roles, but initially, it serves as the basis for senior
management to approve and commit resources. Revise the service approach through planning
when identifying the solution, processes, resources, and risks.
A service approach can be developed by the organization, by prospective service personnel,
e.g., in collaboration with potential customers and suppliers, or by some other combination of
parties with a strategic business view of the service.
The service approach can include a high-level description of the service, the development
approach, and the delivery approach and approached for automated service delivery, as
appropriate.
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
The acquisition strategy defines the approach for formulating supplier request packages,
supplier agreements, and plans. The strategy evolves over time and should continuously reflect
the status and desired end of the work. The acquisition strategy establishes the acquisition
phases, milestone decision points, and accomplishments for each acquisition phase. Develop
the acquisition strategy from an understanding of the acquisition work and environment. The
acquirer considers the:
• Potential value or benefit of the acquisition
• Risks or opportunities
• Constraints
• Experiences with different types of suppliers and agreements
The acquisition strategy includes:
• Acquisition objectives and constraints
• Asset and technology availability
• Consideration of acquisition methods
• Potential supplier agreement types
• Terms and conditions
• End user considerations
• Risk and opportunity considerations
• Core asset development and maintenance considerations
• Operational support processes
A well-developed acquisition strategy minimizes the time and cost required to satisfy approved
capability needs and maximizes affordability throughout the lifecycle.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
419
When an acquisition uses an evolutionary lifecycle, the strategy may describe the function, and
how the acquirer and supplier will fund, develop, test, produce, and support the increasing
functionality of the solution.
Business considerations for the acquisition strategy may include:
• Type of competition planned for all phases of the acquisition or an explanation of why
competition is not practical or not in the best interests of the acquirer
• Developing or keeping updated access to competitive suppliers for critical solutions or
solution components
• Availability and suitability of commercial items and the extent to which interfaces or
connections for these items have broad market acceptance, standards, organization
support, and stability
• Both international and domestic sources that can meet the required need consistent with
organizational policies and regulations
• Critical technologies
• Data rights
• Product line considerations
• Socio-economic constraints
• Safety and health issues
• Security issues, including physical and information technology
• Other business-oriented solution quality characteristics that can be market differentiators
or mission critical, e.g., solution responsiveness, platform openness, availability,
sustainability
The acquisition strategy explains the planned acquisition incentive structure. This may include
providing incentives for delivering the solution at or below the established cost targets, while
satisfying requirements. Consider using incentives to manage risks.
If operations and maintenance support is going to be performed by an organization different
from the supplier, define a sufficient overlap period to ensure a smooth transition. The
acquirer’s sustainment organization or supplier typically participates in the development of the
solution support strategy.
PLAN 2.2
Required Practice Information
Practice Statement
Plan for the knowledge and skills needed to perform the work.
Value
Enables efficient and effective use of personnel resources.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
420
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
421
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
For long-duration and continuous-operation services, the knowledge and skills needed change
as:
• Personnel rotate in and out of the projects (or from one service type to another)
• Technology used in the service system or for an individual service change
• Processes and technology used in the development or customer environments change
For example, a personnel change triggers the need to reevaluate the knowledge and skills
required for new team members. The types of knowledge and skills needed may change during
different phases of the service lifecycle, when adding new services, or changing service levels.
Plan for needed knowledge and skills to better address these sources of change.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
422
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
The acquirer plans for knowledge and skills required by the acquisition team to perform their
tasks.
For example, if the acquirer is purchasing a software-intensive solution, ensure that the
assigned acquisition personnel have expertise in systems and software engineering, or the
acquirer will train personnel in these areas. The acquirer requires that personnel have
orientation and training in acquirer processes and domain knowledge. Personnel involved in
receiving, storing, using, and supporting the acquired solution also may need appropriate
training.
The acquirer also plans for knowledge and skills needed from the supplier. For example, the
acquirer can provide role descriptions and skill profiles to the supplier as part of the supplier
request package.
PLAN 2.3
Required Practice Information
Practice Statement
Based on recorded estimates, develop, and keep the budget and schedule updated.
Value
Enables timely management and corrective actions needed to achieve objectives, through early
detection of significant deviations from the budget and schedule.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
424
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
425
Individual service requests, e.g., to repair a piece of equipment in a remote facility, transport a
package to a destination, can have individual milestones, task dependencies, resource
allocations, and scheduling constraints. Consider these milestones together and coordinate with
larger budgeting and scheduling activities.
Develop communication methods during service system development. Review, tailor, and
possibly supplement communication methods regularly to meet ongoing service delivery needs.
Budget development for service-related activities may include:
• Service components consumed during the lifecycle of a service request or for multiple
service requests that span multiple customers
• Type of resources required, e.g., 24-hour available resources for VIP services
• Expected number of service requests considered in a service agreement
• New resources that need to be added, purchased, or modified to comply with current or
future demand
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
For the duration of the work, define, track, and keep updated:
• Budget and schedule, including both acquirer and supplier activities
• Critical dependencies of supporting organizations, including any suppliers that support the
acquirer
PLAN 2.4
Required Practice Information
Practice Statement
Plan the involvement of identified stakeholders.
Value
Ensures that stakeholder needs are addressed when they arise, reducing the amount and cost
of rework.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
426
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
427
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
428
Plan for the involvement of stakeholders with service system transition activities, e.g., inclusion
of a new product, update of technology for service system components. Affected stakeholders
include customers, end users, provider personnel, senior management, external suppliers, and
anyone else who should be aware of expected changes. Consider the magnitude of the change
in planning for the appropriate level of detail and involvement during the transition.
Example mechanisms for involving stakeholders of service system transitions include:
• Automatic notifications from the service system
• Posted information within the service system
• Progress reviews, discussions, or approaches
• Communications through newsletters
• Updates of user guides and user procedures
• Updates of user training
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
Stakeholders can include acquirers, supplier team members, end users, and other involved
parties. When acquiring complex integrated solutions involving multiple suppliers, the acquirer
needs to ensure coordination between all stakeholders. This planning typically includes steps for
developing and keeping updated supplier agreements with these stakeholders, e.g., interagency
and intercompany agreements, memoranda of understanding, memoranda of agreement.
PLAN 2.5
Required Practice Information
Practice Statement
Plan transition to operations and support.
Value
Minimizes surprises and rework during adoption and deployment.
Example Activities
Example Work
Further Explanation
Products
Plans for transition to May include:
operations and support • Scope and objectives
• Assignment of responsibility
• Transition processes and procedures
• Activities needed to manage the transition and support the
solution in its intended environment
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
430
Example Work
Further Explanation
Products
• Risks
• Evaluation methods and acceptance criteria to ensure the
transition of the solution to operations and support
• Readiness criteria for the operations organization and
environment
• Transition of intellectual property or other assets to the
designated repository
• Resolution steps if problems are encountered
• Readiness criteria for the solutions
• Readiness criteria for the solution support organization
• Identification of the maintenance organization
Context Specific
Security
Identify and plan the security activities, resources, and process assets, e.g., specifications,
templates, and tools; required to ensure that a consistent security level is obtained and
preserved during operations and transition to operations.
The plan must address:
• Stakeholder responsibilities
• Security procedures
• Security characteristics of the intended operational environment, e.g., physical access,
networks, and perimeter protection
• Specific information necessary to perform security activities
Examples of security assets to consider are:
• Security patch management procedures, which includes communication, delivery, and
installation
• Security configuration and hardening guidelines, which includes scope and content of the
configuration; and hardening for the different solution components, which includes third-
party components, if appropriate
• Security delivery and operations instructions, which includes information about
maintaining the security level during operations, e.g., for managing roles and privileges,
secure handling of passwords, security incident handling, and usage of digital signatures
or fingerprints
• Security commissioning instructions, which includes information for addressing security
during commissioning, e.g., for changing default passwords
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
431
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
If support will be provided by an organization different from the supplier, a sufficient overlap
period should be included in the plan.
Typically, the acquirer develops initial transition and support plans and then reviews and
approves more detailed transition and support plans.
In an acquisition, the transition and support plan should also include:
• Expectations for supplier execution of the transition
• Warranty expectations for the acquired solution
• Transition of intellectual property or other acquirer assets to the acquirer's designated
repository
• Resolution steps if any problems are encountered
PLAN 2.6
Required Practice Information
Practice Statement
Ensure plans are feasible by reconciling estimates against capacity and availability of resources.
Value
Increases likelihood that the objectives are achieved by ensuring that needed resources are
available and committed to throughout the project.
• Identifying tools, techniques, and methods that could reduce time or cost
• Implementing incremental delivery
• Renegotiating stakeholder commitments
Manage individual project assignments to balance committed work among individuals and
projects:
• Evaluate individual workloads periodically to ensure they are balanced. Adjust individual
commitments as needed to improve balance and avoid over commitment.
• When individuals’ work is nearing completion, seek opportunities to apply their effort to
other business activities.
• Ensure the manager of an individual committed to work on several projects:
o Ensures the combined commitments do not result in over commitment
o Coordinates expectations for timing of work and results
o Resolves conflicts among project commitments
Example Activities
Context Specific
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
433
While selecting a supplier and negotiating the supplier agreement, the acquirer reconciles
overall work and resource levels based on supplier proposals. After completing the supplier
agreement, the acquirer incorporates the supplier’s plans at an appropriate level of detail to
support plan alignment. For example, an acquirer can incorporate major supplier milestones,
deliverables, and reviews.
The resource plan should plan for personnel with the appropriate training and experience to
evaluate supplier proposals and participate in negotiations with suppliers. The resource plan
identifies the work resources expected from the supplier, including critical facilities or
equipment needed. Revise the resource plan based on the supplier agreement or changes in
environment conditions.
PLAN 2.7
Required Practice Information
Practice Statement
Develop the project plan, ensure consistency among its elements, and keep it updated.
Value
Ensures efficient and effective communication and achievement of objectives through a
consistent project plan.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
434
Example Activities
PLAN 2.8
Required Practice Information
Practice Statement
Review plans and obtain commitments from affected stakeholders.
Value
Reduces rework and increases the likelihood of achieving objectives through a consistent
understanding and commitment to the plan.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
436
Example Work
Further Explanation
Products
Results of plan Reviews will help identify issues that lead to misunderstandings or may
reviews prevent objectives from being met. Review results may include:
• List of issues discovered during review
• List of changes that will be made
• Reason for plan changes
Recorded Includes decisions and agreement to requirements, project plans, and
commitments their related elements.
Context Specific
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
437
• Systems Engineering Management Plan – a plan that details the integrated technical effort
across the project.
• Systems Engineering Master Schedule – an event-based schedule that contains a
compilation of key technical accomplishments, each with measurable criteria, requiring
successful completion to pass identified events.
• Systems Engineering Detailed Schedule – a detailed, time dependent, task-oriented
schedule that associates dates and milestones with the Systems Engineering Master
Schedule.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
438
Level 3
PLAN 3.1
Required Practice Information
Practice Statement
Use the organization’s set of standard processes and tailoring guidelines to develop, keep
updated, and follow the project process.
Value
Establishes the project process, ensuring the efficient and effective achievement of the
objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
439
When the organization's set of standard processes change, there may be changes in the
project’s processes.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
440
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
The description of the defined process should be based on services that the project delivers,
including both tailored standard services and unique services, and the service delivery
environment.
Organizations that define standard services may have individual systems that enable the
delivery of those standard services. Any processes that are components of service system(s)
within an organization are good candidates to consider when defining the standard processes
for delivering services.
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
The supplier agreement should identify the key activities to deliver a solution that meets
requirements. The acquirer may require the supplier to align selected supplier processes with
the acquirer’s defined process to achieve the project goals.
The acquirer should align its defined process with the acquisition strategy. For example,
whether the acquisition strategy is to introduce new technology or to consolidate existing
solutions affects the acquirer’s defined process.
Supplier deliverables may include:
• Common defined processes
• Requirements tools shared by both acquirer and supplier
• Test tools and facilities shared by both acquirer and supplier
PLAN 3.2
Required Practice Information
Practice Statement
Develop a plan and keep it updated using the project process, the organization’s process assets,
and the measurement repository.
Value
Increases the likelihood that the objectives will be met, by using proven organizational assets
for planning the project.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
442
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
443
Context Specific
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
Context: Use processes to deliver, manage, and improve services to meet customer needs.
The work plan should include service delivery and, when needed, service system development
and service system transition.
Examples of the types of service data contained in the organization’s measurement repository
include:
• Service capacity
• Number of service requests received, closed, cancelled, or in progress
• Number of service requests that missed their service level agreement
• Standard services from the catalog that are in high demand
• Average service request completion time
• Average cost consumed by service request
Plans that affect the work plan include:
• Capacity and availability management strategy
• Service continuity plan
• Incident management approach
• Risk and opportunity management approach
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
444
When developing a plan for the project, it is important to develop, keep updated, and follow a
strategy for capacity and availability management for critical services. This will help ensure the
right resources will be available to meet the requirements when needed and that the
organization can meet commitments to customers within agreed limits.
A capacity and availability management strategy is based on requirements, failure and incident
trend analysis, current resource use, and service system performance. Strategy should consider
the minimum, maximum, and average use of resources over the short, medium, and long term.
It may be appropriate for some projects to identify, plan for, and manage the availability of
resources to respond to sudden, unexpected increases in demand. Sometimes, the
management of the obsolescence of certain resources and offerings factor into the strategy for
capacity and availability management.
Service representations can help to determine resources and aspects to measure, monitor,
analyze, and manage. However, solution design documents may not be available or may not
accurately and completely reflect all aspects of the live environment that affect capacity and
availability. It is important to monitor and analyze actual capacity and availability data.
Requirements strategies, monitoring, and information from day-to-day service delivery, product
development, or acquisition can assist with these determinations.
The capacity and availability management strategy can reflect limits and constraints, e.g.,
limited customer funding, the customer’s acceptance of certain risks related to capacity and
availability.
The provider must formulate a strategy that best meets requirements, even if they cannot
influence or control demand and resource adjustments. This strategy can be more sophisticated
in situations where the provider can influence or control demand and resource adjustments.
Example activities for developing a capacity and availability management strategy include:
• Recording actual resource use, performance, and availability data
• Estimating future resource and capacity and availability requirements
• Developing a capacity and availability strategy that meets requirements, meets the
demand for resources and services, products, or acquisitions, and addresses how the
organization provides, uses, and allocates resources
• If appropriate, including an availability testing schedule, a maintenance strategy, and an
outage schedule
• Recording costs and benefits of the strategy and any assumptions
• As necessary, revising the strategy on an event-driven basis
PLAN 3.3
Required Practice Information
Practice Statement
Identify and negotiate critical dependencies.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
445
Value
Reduces risk and increases the likelihood the project will be completed on time, within budget,
and meet quality objectives by paying close attention to critical dependencies.
Example Activities
PLAN 3.4
Required Practice Information
Practice Statement
Plan for the project environment and keep it updated based on the organization’s standards.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
446
Value
Ensures that the resources needed to complete the work are readily available to maximize
productivity.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
447
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
448
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
449
Context Specific
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
The project environment might encompass environments for product development, integration,
verification, and validation, or they might be separate environments.
Development-specific examples of equipment and tools include:
• Design tools
• Configuration management tools
• Evaluation tools
• Integration tools
• Automated test tools
Components in the development environment include software, databases, hardware, tools, test
equipment, and appropriate documentation. Qualification of software includes appropriate
certifications. Hardware and test equipment qualification includes calibration and adjustment
records and traceability to calibration standards.
Examples of actions to improve the development environment include:
• Adding new tools
• Acquiring additional networks, equipment, training, and support
Security
Consider security needs when planning for the project environment. Key activities include:
• Analyzing technology needs, e.g., review current platforms, servers, networks, and tools;
and conduct a security needs assessment
• Identifying criteria for selecting security tools and methodologies
• Evaluating and selecting security tools
• Applying security tools and methodologies
• Defining physical security processes, procedures, and protocols
Consider an environment implementation that incorporates defense in depth to maximize
overall mitigation of security risk. Consider the following types of security tools when planning
for the secure environment:
• Badging and physical access control
• Common Weakness Enumeration (CWE) scans, to help identify software vulnerabilities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
450
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Verification and validation of the service system can include both initial and ongoing evaluation
of the environment in which the service provider delivers the service.
Components in the services work environment include those necessary to support service
delivery, software, databases, hardware, tools, test equipment, and appropriate documentation.
Qualification of a service delivery environment includes audits of the environment and its
components for compliance with safety requirements and regulations. Software qualification
includes appropriate certifications. Hardware and test equipment qualification includes
calibration, records and traceability to calibration standards.
Examples of actions to take to improve the services work environment include:
• Adding new equipment and tools
• Acquiring additional networks, equipment, training, and support
Examples of equipment and tools include:
• Resource management tools for service delivery
• Incident and request management tools
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
Ensure that the supplier’s and acquirer’s projects are compatible to enable the efficient and
effective transfer of work products and solutions.
Define the project environment in the plan, and include any environments required throughout
the project lifecycle.
Example environment types include:
• Acquirer or supplier facilities
• Independent Verification and Validation (IV&V)
• Configuration Management
• Testing
• Infrastructure hosting
• Information repositories
• Field sites
• Classified facilities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
451
Level 4
PLAN 4.1
Required Practice Information
Practice Statement
Use statistical and other quantitative techniques to develop and keep the project processes
updated to enable achievement of the quality and process performance objectives.
Value
Increases the likelihood that the processes of the project will enable achievement of consistent
performance and quality.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
453
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
454
Intent
Develops the process assets necessary to perform the work and keeps them updated.
Value
Provides a capability to understand and repeat successful performance.
Explanatory PA Information
Practice Summary
Level 1
PAD 1.1 Develop process assets to perform the work.
Level 2
PAD 2.1 Determine what process assets will be needed to perform the work.
PAD 2.2 Develop, buy, or reuse process assets.
PAD 2.3 Make processes and assets available.
Level 3
PAD 3.1 Develop, keep updated, and follow a strategy for building and updating
process assets.
PAD 3.2 Develop, record, and keep updated a process architecture that describes
the structure of the organization’s processes and process assets.
PAD 3.3 Develop, keep updated, and make the organization’s processes and
assets available for use in a process asset library.
PAD 3.4 Develop, keep updated, and use tailoring criteria and guidelines for the
set of standard processes and assets.
PAD 3.5 Develop, keep updated, and make work environment standards available
for use.
PAD 3.6 Develop, keep updated, and make organizational measurement and
analysis standards available for use.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
455
Context Specific
Agile Development
Agile is an iterative approach to project management and software development that helps
teams deliver value to their customers faster. Figure PAD-1: Typical Agile Assets shows some
example agile process assets.
• Agile Processes: Agile processes and workflows are typically embedded within tools.
• Product Backlog Tool / Template: A product backlog lists and prioritizes the task-level
details required to execute the strategic plan set forth in the roadmap. The backlog should
communicate what is next on the team’s to-do list as they execute on the roadmap.
Typical items in a product backlog include user stories, bug fixes, and other tasks. The
backlog is a translation of how the team delivers the vision outlined on an agile roadmap.
• Sprint Backlog and Release Plan Tool / Templates
o A Sprint backlog is a list of work items the team plans to complete. These items are
usually pulled from the product backlog during the Sprint planning session.
o Release planning maximizes the chances of achieving the goals of the Sprint.
• Task Board Tool / Template - A Task Board is the focal point of any Agile project and
serves as a good place at which to hold the stand-up meeting or Scrum. Typically, a Task
Board displays only information pertinent to the current Sprint and is cleared off before
the next Sprint begins. The task board depicts the set of tasks to be performed by the
agile team during a particular period of time. One type of task board used by agile teams
is Kanban.
• Burndown Chart Tool / Template - A burndown chart or burn down chart is a graphical
representation of work left to do versus time. The outstanding work (or backlog) is often
on the vertical axis, with time along the horizontal. Burn down charts are a run chart of
outstanding work. It is useful for predicting when all the work will be completed.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
456
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Establish process assets for managing the data aspects of the work. For example, define
process assets for the following:
• Business rules for data management and data quality, e.g., data sufficiency, data
ownership, data coverage, data completeness
• Metadata management processes, e.g., adding metadata categories, managing metadata
repositories, validating metadata, analyzing impacts of potential data changes
• Data retention criteria and processes, consistent with legal and regulatory requirements
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
457
• Data security, e.g., access controls, permission levels, levels of data classification
• Archival and retrieval processes, consistent with organizational and regulatory
requirements
• Data remediation processes
• Audit requirements and audit trail logs
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps teams rely on a set of automated process assets and tools, allowing developers,
operations, and security to collaborate to build and deploy software to production. This includes
build automation/Continuous Integration (CI), automated testing, validation, and reporting.
Pipelines are built for each DevSecOps team based on the environment, e.g., resources and tool
availability. Pipeline development and process assets improve and evolve over time. Pipelines
may also include manual gates requiring human intervention before code is deployed. A key
characteristic of a DevSecOps pipeline is Continuous Integration / Continuous Delivery (CI/CD),
continuous feedback, and continuous operations. These functions occur on an ongoing basis.
Safety
Safety process maps, processes, and guidelines provide roadmaps to address workplace
environment and functional hazards and other safety related risks and issues. Ensure that the
organization continually supports deployment of safety processes and process assets,
particularly when starting new work. Incorporate the status of safety process deployment
activities within the organization’s list of projects.
Security
Security process maps, processes, and guidelines provide roadmaps to address workplace
environment and security related risks and issues. Ensure that the organization continually
supports deployment of security processes and process assets, particularly when starting new
work. Incorporate the status of security process deployment activities within the organization’s
list of projects.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
458
Level 1
PAD 1.1
Required Practice Information
Practice Statement
Develop process assets to perform the work.
Value
Improves consistency to increase likelihood of meeting objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
459
Level 2
PAD 2.1
Required Practice Information
Practice Statement
Determine what process assets will be needed to perform the work.
Value
Avoids waste by focusing resources only on the process assets needed to perform the work.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
460
PAD 2.2
Required Practice Information
Practice Statement
Develop, buy, or reuse process assets.
Value
Minimizes costs, effort, and time needed for developing the assets.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
461
PAD 2.3
Required Practice Information
Practice Statement
Make processes and assets available.
Value
Reduces cost and time needed for performing the work by using existing process assets.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
462
Level 3
PAD 3.1
Required Practice Information
Practice Statement
Develop, keep updated, and follow a strategy for building and updating process assets.
Value
Provides a structure and direction for asset building that minimizes cost.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
463
PAD 3.2
Required Practice Information
Practice Statement
Develop, record, and keep updated a process architecture that describes the structure of the
organization’s processes and process assets.
Value
Ensures that processes add value by providing a robust process architecture.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
464
The content architecture may independently vary over time because of changes to
organizational needs. Structural architectural typically only changes when there is a major
change to the organization, the process needs, or process approach.
Clearly specified processes interact efficiently resulting in less redundancy and fewer gaps,
therefore ensuring that every process adds value. A process architecture:
• Reduces risks
• Increases quality
• Improves time-to-market
• Increases customer satisfaction
• Facilitates achievement of business objectives
• Promotes understandings between work groups
• Helps clarify roles and responsibilities
• Improves coordination of efforts
• Reduces unnecessary activities
• Reduces missed activities
• Improves process flow by ensuring that all necessary inputs and outputs are defined
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
465
Example Activities
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps tools and automated processes should be reviewed and considered for any process
architecture. This would include where and how the automated tools interface or connect and
integrate with manual processes.
Safety
Specifically address safety within the organization’s process framework. Define responsibilities
and provide training so that all individuals in the organization understand their role in ensuring
safety. Additionally, define how safety-related activities relate to other development, post-
development, and operational activities, including required inputs and outputs. Integrate safety
processes with other processes to ensure relationship dependencies are captured.
Security
Specifically address security within the organization’s process framework. Define responsibilities
and provide training so that all individuals in the organization understand their role in ensuring
security. Additionally, define how security-related activities relate to other development, post-
development, and operational activities, including required inputs and outputs. Integrate
security processes with other processes to ensure relationship dependencies are captured.
PAD 3.3
Required Practice Information
Practice Statement
Develop, keep updated, and make the organization’s processes and assets available for use in a
process asset library.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
467
Value
Reduces the time and effort needed to organize, access, and update process assets, leading to
reduced cost and waste.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
468
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
469
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
471
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps tools and their related automated processes are part of the overall organizational
processes and assets. As with any other process or process assets, these processes should be
periodically reviewed for effectiveness and efficiency.
Safety
Ensure suitable safety guidelines and process assets are available to support the work.
Security
Ensure suitable security guidelines and process assets are available to support the work.
Example activities include:
• Select and adapt existing guidelines and assets, as necessary, to match the technologies
and the context of the work, including security aspects
• Manage the security guidelines and assets, and make them accessible to the organization
• Keep the guidelines and assets updated, based on changes in technology, standards, or
security
o Conduct and incorporate industry research to remain current with the latest industry
trends and state-of-the art information
o Collect and review feedback periodically for updates, considering inputs from external
stakeholders and practitioners
• Verify usage of the correct security assets through periodic reviews
Example security assets include:
• Security design guidelines
• Secure coding guidelines for different programming languages
• Libraries for authentication
• Authorization mechanisms
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
472
PAD 3.4
Required Practice Information
Practice Statement
Develop, keep updated, and use tailoring criteria and guidelines for the set of standard
processes and assets.
Value
Accommodates the unique needs of each project while avoiding unnecessary work.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
474
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
When defining tailoring guidelines and criteria in a service delivery environment, consider:
• The service catalog, and how standard services and service components are selected or
modified based on the standard services available
• Fixed elements of standard services that will not change. Fixed elements may have
allowable variation within specified limits. Examples of allowable variation:
o Pricing
o Hours of operation
o Geographical coverage
• Knowledge of variability in customer needs to develop tailoring options
• Needs and expectations for service systems, e.g., core assets that are consistent across
standard services
PAD 3.5
Required Practice Information
Practice Statement
Develop, keep updated, and make work environment standards available for use.
Value
Increases productivity and consistency across projects through a specified and established work
environment.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
475
Example Activities
PAD 3.6
Required Practice Information
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
477
Practice Statement
Develop, keep updated, and make organizational measurement and analysis standards available
for use.
Value
Supports consistent use of measurements and related analysis for better decision-making.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
478
Intent
Manages and implements the continuous performance improvement of processes and
infrastructure to meet business objectives by identifying and implementing the most beneficial
process improvements and making performance results visible, accessible, and sustainable.
Value
Ensures that processes, infrastructure, and their improvement contribute to successfully
meeting business objectives.
Explanatory PA Information
Practice Summary
Level 1
PCM 1.1 Develop a support structure to provide process guidance, identify and fix
process problems, and continuously improve processes.
PCM 1.2 Appraise the current process implementation and identify strengths and
weaknesses.
PCM 1.3 Address improvement opportunities or process issues.
Level 2
PCM 2.1 Identify improvements to the processes and process assets.
PCM 2.2 Develop, keep updated, and follow plans for implementing selected
process improvements.
Level 3
PCM 3.1 Develop, keep updated, and use process improvement objectives
traceable to the business objectives.
PCM 3.2 Identify processes that are the largest contributors to meeting business
objectives.
PCM 3.3 Explore and evaluate potential new processes, techniques, methods, and
tools to identify improvement opportunities.
PCM 3.4 Provide support for implementing, deploying, and sustaining process
improvements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
479
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
480
Context Specific
Agile Development
Agile teams collect retrospective data at the end of each Sprint that provides a rich source of
improvement ideas. Some agile teams form a community of practice where individuals with a
need for similar improvements can share experiences. Typically, retrospective sessions are
focused on ad-hoc topics and improvements at a team level. Process management adds the
systematic collection, analysis, and coordination of these improvements across the organization.
Process management activities can supplement the typical agile team to aid organizational
learning. For example, agile teams collect data, but there is not necessarily a support structure
to manage and use that data. The retrospective session does not typically or systematically
assess each process. The adoption of process management practices produces more robust and
sustainable organizational improvements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
481
Level 1
PCM 1.1
Required Practice Information
Practice Statement
Develop a support structure to provide process guidance, identify and fix process problems, and
continuously improve processes.
Value
Reduces effort, cycle time, costs, defects, and waste, and increases performance.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
482
PCM 1.2
Required Practice Information
Practice Statement
Appraise the current process implementation and identify strengths and weaknesses.
Value
Provides a systematic and realistic way to identify the most important opportunities for
improvements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
483
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
484
PCM 1.3
Required Practice Information
Practice Statement
Address improvement opportunities or process issues.
Value
Reduces costs by increasing efficiency and effectiveness of projects.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
485
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
486
Level 2
PCM 2.1
Required Practice Information
Practice Statement
Identify improvements to the processes and process assets.
Value
Maximizes return on investment by focusing resources on the most critical business needs and
objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
487
Ensure that the analysis and evaluation are performed in a timely manner and that
improvements are selected based on their expected value and impact. Objectively decide which
improvements to select. It is generally not possible to implement all suggested improvements
as it may be either too expensive or take too long. On the other hand, just addressing “low
hanging fruit” may lead to minor changes or no changes at all. The better way is to determine
criteria that helps select and deploy improvements with the highest business impact.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
488
PCM 2.2
Required Practice Information
Practice Statement
Develop, keep updated, and follow plans for implementing selected process improvements.
Value
Enables more efficient and effective improvement efforts to meet business objectives.
• Deploying
• Conducting post-deployment evaluation
• Collecting feedback and lessons learned
• Monitoring progress
For larger efforts, consider an iterative or incremental approach instead of a one-time effort.
For example, ensure deployable results are available as soon as possible to receive rapid
feedback.
Example Activities
Level 3
PCM 3.1
Required Practice Information
Practice Statement
Develop, keep updated, and use process improvement objectives traceable to the business
objectives.
Value
Ensures that process improvements focus on achieving business objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
492
PCM 3.2
Required Practice Information
Practice Statement
Identify processes that are the largest contributors to meeting business objectives.
Value
Maximizes impact of improvement activities by focusing on and meeting the most important
business needs.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
493
PCM 3.3
Required Practice Information
Practice Statement
Explore and evaluate potential new processes, techniques, methods, and tools to identify
improvement opportunities.
Value
Maximizes process innovation to more efficiently and effectively achieve objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
494
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
495
PCM 3.4
Required Practice Information
Practice Statement
Provide support for implementing, deploying, and sustaining process improvements.
Value
Ensures process improvements provide value to the organization over time.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
496
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
497
PCM 3.5
Required Practice Information
Practice Statement
Deploy organizational standard processes and process assets.
Value
Ensures efficient, effective, and coordinated process deployment to reduce potential waste from
overlapping improvements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
498
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
499
PCM 3.6
Required Practice Information
Practice Statement
Evaluate and report the effectiveness of deployed improvements in achieving process
improvement objectives.
Value
Ensures deployed processes are contributing to meeting process and performance improvement
objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
500
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
501
Level 4
PCM 4.1
Required Practice Information
Practice Statement
Use statistical and other quantitative techniques to validate selected performance improvements
against proposed improvement expectations, business objectives, or quality and process
performance objectives.
Value
Increases the success rate for performance improvement implementation.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
503
Intent
Verifies and enables improvement of the quality of the processes performed and resulting work
products.
Value
Increases the consistent use and improvement of the processes to maximize business benefit
and customer satisfaction.
Explanatory PA Information
Practice Summary
Level 1
PQA 1.1 Identify and address process and work product issues.
Level 2
PQA 2.1 Develop, keep updated, and follow a quality assurance approach and plan
based on historical quality data.
PQA 2.2 Objectively evaluate selected performed processes and work products
against the recorded process and applicable standards.
PQA 2.3 Communicate quality and non-compliance issues and ensure their
resolution.
PQA 2.4 Record and use results of quality assurance activities.
Level 3
PQA 3.1 Identify and record opportunities for improvement during quality
assurance activities.
Context Specific
Agile Development
Ensure that objective evaluations are integrated into the team’s techniques or rhythms, e.g., as
part of daily standups, story point estimation, code reviews, use of tools, continuous
integration, and retrospectives.
An agile project has many opportunities to objectively evaluate ceremonies and work products,
such as when:
• User stories are examined in the backlog grooming ceremony
• The Scrum Master coaches the team during scrum ceremonies
• Feedback on what was built is obtained in the Sprint review
• The retrospective ceremony reviews prior accomplishments and identifies opportunities for
improvement for the next iteration
• Management or peers observe agile ceremonies being performed using techniques such
as a gemba walk
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
505
Level 1
PQA 1.1
Required Practice Information
Practice Statement
Identify and address process and work product issues.
Value
Increases customer satisfaction through improved quality and performance.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
506
Level 2
PQA 2.1
Required Practice Information
Practice Statement
Develop, keep updated, and follow a quality assurance approach and plan based on historical
quality data.
Value
Reduces cost and increases quality by focusing on recurring problem areas.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
507
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
508
PQA 2.2
Required Practice Information
Practice Statement
Objectively evaluate selected performed processes and work products against the recorded
process and applicable standards.
Value
Delivers high-quality solutions by identifying and addressing issues throughout the process
execution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
509
Example Activities
Context Specific
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Ensure objective evaluation of work products, e.g., criteria and requirements, to verify and
enforce objectivity, and to incorporate all aspects of managing data, e.g., consistent use of the
data glossary terms, data architecture.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
510
Safety
Ensure objective evaluation of work products, e.g., criteria and checklists, incorporate all
aspects of safety activities, e.g., safety objectives, approach to address workplace environment
safety, approach to address functional safety, organizational safety function, safety evaluations,
and organizational safety controls.
Security
Ensure objective evaluation of work products, e.g., criteria and checklists, incorporate all
aspects of security activities, e.g., security objectives, approach to address security in the
workplace environment, approach to address physical security needs, mission security needs,
and cybersecurity.
PQA 2.3
Required Practice Information
Practice Statement
Communicate quality and non-compliance issues and ensure their resolution.
Value
Ensures quality processes, avoids the cost of rework, and improves customer satisfaction.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
511
Example Activities
PQA 2.4
Required Practice Information
Practice Statement
Record and use results of quality assurance activities.
Value
Optimizes future quality assurance activities and reduces the cost of future work.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
512
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
513
Level 3
PQA 3.1
Required Practice Information
Practice Statement
Identify and record opportunities for improvement during quality assurance activities.
Value
Improves the organization’s capability to meet its goals and objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
514
Intent
Integrates and delivers the solution that addresses functionality, performance, and quality
requirements.
Value
Increases customers’ satisfaction by giving them a solution that meets or exceeds their
functionality and quality requirements.
Explanatory PA Information
Practice Summary
Level 1
PI 1.1 Assemble solutions and deliver to the customer.
Level 2
PI 2.1 Develop, keep updated, and follow an integration strategy.
PI 2.2 Develop, keep updated, and use the integration environment.
PI 2.3 Develop, keep updated, and follow procedures and criteria for integrating
solutions and components.
PI 2.4 Confirm, prior to integration, that each component has been properly
identified and operates according to its requirements and design.
PI 2.5 Evaluate integrated components to ensure conformance to the solution’s
requirements and design.
PI 2.6 Integrate solutions and components according to the integration strategy.
Level 3
PI 3.1 Review and keep updated interface or connection descriptions for
coverage, completeness, and consistency throughout the solution’s life.
PI 3.2 Confirm, prior to integration, that component interfaces or connections
comply with interface or connection descriptions.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
515
Context Specific
Agile Development
Agile teams typically employ automation and may use DevSecOps processes for unit testing,
regression testing, system testing, and continuous builds, to reduce human effort as much as
possible. These techniques increase productivity and help to detect defects early in the product
development lifecycle.
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
516
Incorporate data business rules into the product integration strategy, environment procedures,
criteria, and activities. For example, consider data aggregation, data cleansing, source data
optimization and prevention of data duplication, data conversions, data uploads to systems and
platforms, interfaces or connections, exception handling, data transport, data storage, data
archival or retirement, data sovereignty, and protections for data security and data privacy.
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps teams typically employ automation to develop a build and deployment pipeline that
begins with Continuous Integration (CI) when a developer checks in code to source control,
after which automated builds and unit tests are run. Once integration is complete, automated
Continuous Delivery (CD) processes release the code into the test environment where
automated regression and system testing is performed to prepare the code for deployment.
Finally, CD refers to the ability to automatically deploy a developer’s changes from the
repository to production. It addresses the historic problem of manually transferring code to
operations teams that rely on and use mostly manual processes that slow delivery to the
customer. It builds on the benefits of CD by automating the last stage in the pipeline as
illustrated here. Refer to Figure PI-1: DevSecOps Approach.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
517
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
When service systems are complex and comprised of multiple components, e.g., a combination
of system components and services, the organization may need to sequence or integrate the
services to provide a single customer facing service. In this context, the Product Integration
practices provide an approach to managing and integrating multiple system and service
components or service providers. Applying Product Integration practices to processes enables
an organization to seamlessly integrate interdependent services from various internal and
external service providers into end-to-end services to meet business requirements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
518
Level 1
PI 1.1
Required Practice Information
Practice Statement
Assemble solutions and deliver to the customer.
Value
Enables customer satisfaction by delivering a usable solution.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
519
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
520
Level 2
PI 2.1
Required Practice Information
Practice Statement
Develop, keep updated, and follow an integration strategy.
Value
Ensures that the product will meet customer requirements given available resources.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
521
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
522
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
Ensure the integration strategy incorporates appropriate security controls and consideration of
third-party components. Ensure the strategy addresses:
• Level of automation
• Tool use
• Specification scope
• Disabling of services and removal of software that is not needed
• Consideration of threat scenarios
• Usage of adapted tooling to scrutinize moving perimeters and dynamics on a network
• Removal of unnecessary logins
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
523
• Changing of default passwords and logins at specified periods, e.g., release, deployment,
installation, decommissioning
Consider the following configuration hardening challenges when addressing the integration
strategy:
• Identifying hardening settings based on threat scenarios and intended functionality. In
solutions, intended functionality determines the services, ports, and interfaces or
connections that are redundant or unnecessary and thus how hardening may be achieved.
• Multiple configuration settings and details
• Heterogeneous, complex, or user-hostile interfaces or connections and vulnerabilities that
could have been introduced through design or automation
PI 2.2
Required Practice Information
Practice Statement
Develop, keep updated, and use the integration environment.
Value
Provides an effective risk mitigation technique to ensure that the solution and components are
integrated correctly.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
524
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
525
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
526
o Which is better: VMs or containers? It depends on the need of the organization and its
customers. Containers work well for running individual applications, not entire
operating systems. Instead of installing an application on the host, a container is run
that contains everything the application needs. Containers do not need host resources
like a VM does and are lightweight in terms of setup, maintenance, and use as
compared to a virtual machine. Containers also have less overhead when compared to
servers or VMs. VMs share a common operating system, so maintenance is simplified
to patches and bug fixes. Although containers use a variety of different operating
systems for their apps, they are self-contained and require less maintenance.
However, since only VMs can act like complete systems, in some situations, VMs are
the only option.
PI 2.3
Required Practice Information
Practice Statement
Develop, keep updated, and follow procedures and criteria for integrating solutions and
components.
Value
Improves the likelihood of producing a solution that works correctly and meets the customer’s
requirements.
Communicate schedule and integration status with affected stakeholders to reduce the risk of
delays and failures.
Example Activities
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
528
PI 2.4
Required Practice Information
Practice Statement
Confirm, prior to integration, that each component has been properly identified and operates
according to its requirements and design.
Value
Reduces total development cost, integration cycle time, and rework.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
529
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
Development teams build their integration criteria into their CI/CD pipeline using scripts and a
sequence of automated tests. Often, teams use CI tools in a sub-optimal manner by creating
environment-specific commands. This approach limits the team to one tool and makes it more
difficult to migrate to a different tool set. Ideally, teams write environment agnostic scripts and
commands. This minimizes the dependence on a single CI environment and allows the team
greater flexibility.
PI 2.5
Required Practice Information
Practice Statement
Evaluate integrated components to ensure conformance to the solution’s requirements and
design.
Value
Helps to ensure customer requirements are correctly implemented.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
530
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
531
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
PI 2.6
Required Practice Information
Practice Statement
Integrate solutions and components according to the integration strategy.
Value
Ensures that the customer receives a solution that meets requirements and design.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
532
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
DevSecOps teams use their Continuous Delivery (CD) pipeline where automated builds, tests,
and deployments are orchestrated as one release workflow. Pipelines have software gates that
automatically promote or reject versioned components. If the release protocol is not met, the
pipeline aborts. Alerts are generated and notifications are sent to the DevSecOps team for
remediation.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
533
Level 3
PI 3.1
Required Practice Information
Practice Statement
Review and keep updated interface or connection descriptions for coverage, completeness, and
consistency throughout the solution’s life.
Value
Reduces rework and missed project objectives caused by incompatible or inconsistent interfaces
or connections.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
534
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
535
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
Understanding system impact is essential to DevSecOps. For example, when applications are
built on service-oriented architectures, requirements for one feature may include other system
dependencies. Dependency requirements typically take two forms: 1) changes with a potentially
negative impact on another part of the application, 2) changes with a dependency on some
other part of the application before the feature can be implemented.
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
In the context of service systems, interfaces or connections can fit into one of four major
groups: person-to-person, person-to-component, component-to-component, and compound
interfaces:
• Person-to-person interfaces are interfaces or connections that represent direct or indirect
communication between two or more people
o These people can include service provider personnel or end users
o For example, a call script (which defines how a help desk operator should interact with
an end user) defines a direct person-to-person interface
o Logbooks and instructional signage are examples of indirect person-to-person
interfaces or connections
• Person-to-component interfaces are interfaces or connections that encompass interactions
between a person and one or more service system components
o These interfaces or connections can include both graphical user interfaces for
automated components, e.g., software applications, and operator control mechanisms
for automated, partially automated, and non-automated components, e.g., equipment,
vehicles
• Component-to-component interfaces are interfaces or connections that do not include
direct human interaction
o This includes the interfaces of interactions between automated components and other
possibilities, such as specifications limiting the physical interaction of two components,
e.g., a delivery truck and a loading dock
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
536
• Compound interfaces are interfaces or connections that merge or layer together interfaces
from more than one of the other three groups
o For example, an online help system with live chat support might have a compound
interface built on an integrated combination of person-to-person, person-to-
component, and component-to-component interfaces
Interfaces can be external or internal:
• External interfaces are interactions among components of the service system and any
other entity external to the service system, including people, organizations, and systems
• Internal interfaces can include interactions among personnel, teams, and functions of the
service provider organization; internal interfaces can also include interaction between
personnel or end users and service system components
Examples of user interface work products include:
• Customer interaction scripts
• Reporting types and frequency
• Application program interfaces or connections
PI 3.2
Required Practice Information
Practice Statement
Confirm, prior to integration, that component interfaces or connections comply with interface or
connection descriptions.
Value
Reduces the amount of rework due to interface or connection incompatibility.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
537
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
As the code moves through the Continuous Integration (CI) process, a series of automated unit
tests are conducted. When using a CI server, eventually a build fails on the CI due to
differences in the environment but passes on the development machine. When this happens,
the configuration issues, language version, package installation, memory limitations, test user
permissions, etc., from the passed tests are eliminated systematically and the issue is narrowed
down to what has changed recently with the build, and any unmet integration requirement is
identified and resolved.
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
538
Integrate the service system as defined in the planned integration strategy and procedures.
Before integration, verify each service system component for compliance with its interface or
connection requirements, including any service system components that are manual processes.
PI 3.3
Required Practice Information
Practice Statement
Evaluate integrated components for interface or connection compatibility.
Value
Reduces the risk of interface or connection failure within integrated components.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
539
Context Specific
DevSecOps
Context: DevSecOps is a mindset, a culture, and set practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
CI requires automated unit and integration tests. These tests must be comprehensive enough
so that teams have confidence that the software works as expected, vulnerabilities are
identified and fixed, and meets the requirements. The unit tests must run quickly so that they
do not delay development when check-in occurs. Complex automated tests are typically run
overnight so that developers have the results the next day and can be discussed. The tests
must be run frequently and be kept updated. If the tests are run infrequently, then a test
failure can originate from many different changes, making it much harder and more expensive
to debug and more complicated to keep updated.
Creating maintainable sets of automated unit tests is difficult and complex. An effective way to
solve this problem is to practice Test-Driven Development (TDD), where developers write
automated tests that initially fail, until they implement code that makes the tests pass. TDD
helps ensure developers write code that is modular and easy to test, which reduces the
maintenance of the resulting automated test suites.
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Some service systems can require assembly with customer or end user resources to complete
full integration. When these resources are available under the terms of a service agreement,
incorporate them, as appropriate, in integration activities. When such resources are not
available from customers and end users, temporarily employ substitute equivalent resources to
enable full-service system integration.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
540
Intent
Elicits requirements, confirms common understanding by stakeholders, and aligns requirements,
plans, and work products.
Value
Increases likelihood that the solution meets or exceeds customer expectations and needs.
Explanatory PA Information
Practice Summary
Level 1
RDM 1.1 Record requirements.
Level 2
RDM 2.1 Elicit stakeholder needs, expectations, constraints, and interfaces or
connections, and confirm understanding of the requirements.
RDM 2.2 Transform stakeholder needs, expectations, constraints, and interfaces or
connections into prioritized customer requirements.
RDM 2.3 Obtain commitment from project participants that they can implement
the requirements.
RDM 2.4 Develop, record, and keep updated bidirectional traceability among
requirements and activities or work products.
RDM 2.5 Ensure that plans and activities or work products remain consistent with
requirements.
Level 3
RDM 3.1 Develop and keep requirements updated for the solution and its
components.
RDM 3.2 Develop operational concepts and scenarios.
RDM 3.3 Allocate the requirements to be implemented.
RDM 3.4 Identify, develop, and keep updated interface or connection
requirements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
541
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
542
Analyses are iterated until there is enough detail to develop the solution or a portion of the
solution. Analysis of requirements and the operational concepts and scenarios may result in
identifying more requirements, including:
• Constraints of various types
• Technological limitations
• Costs
• Time constraints
• Risks
• Functionality, support, and maintenance concerns
• Issues implied but not explicitly stated by the customer
• Business considerations, regulations, and laws
Develop a functional design through iteration with the evolving operational concept and
scenarios. During design, refine, derive, and allocate requirements to the functional solution
and solution components.
Context Specific
Agile Development
Agile teams elicit user needs as a backlog of user stories, but a backlog does not typically
include constraints, interfaces or connections, and quality attributes.
Table RDM-1: Typical Agile Requirements Activities shows where requirements activities can
augment a typical agile project.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
543
Agile projects typically implement traceability from business need through epics, user stories,
tasks, tests, and the definition of done. Designs and code are often traced directly to user
stories. Traceability enables more efficient and accurate consistency checks between user
stories or epics and work products. Traceability also improves the ability to understand and
addresses what is impacted by a user story or epic change.
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Ensure data requirements and business rules, e.g., security rules; physical and logical data;
prioritized data quality dimensions for databases, software, and technology; are recorded as
requirements, reflected in business terms, traceable to business objectives, and meet legal and
regulatory requirements. Analyze data requirements based on business objectives and priorities.
Evaluate the criticality of data within scope against high-priority business objectives according
to the primary purpose, e.g., regulatory reporting. Include customer feedback in the analysis to
determine if there are implied or unstated business objectives that may be important to
accommodate. Identify, track, and manage critical data elements.
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
For product lines, engineering processes (including requirements development) may be applied
at multiple levels. At the product line level, perform a “commonality and variation analysis” to
help elicit, analyze, and develop core assets for use by projects within the product line. At the
project level, use these core assets per the product line plan as part of the project’s engineering
activities.
Security
Determine security needs by addressing and analyzing inputs from various sources, as derived
from:
• Security needs of affected stakeholders
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
544
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
545
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Analyze all stakeholder requirements while developing the service delivery and operational
agreement, approach, and objectives to derive more detailed and precise sets of requirements
called derived requirements. These requirements address all aspects of the service system
associated with service delivery, including work products, services, processes, consumables,
customer resources, other resources, warranty costs, service incentives, and the functionality
and quality attribute needs of affected stakeholders.
In some service contexts, derived requirements can be as simple as identifying and quantifying
required resources. For complex service systems with many types of components and interfaces
or connections, iteratively refine the initial requirements into lower-level sets of more detailed
requirements that can be allocated to service system components as the preferred solution is
refined.
Develop the functionality and quality attribute requirements for the service system through this
analysis and through refinement, derivation, and allocation activities. Service delivery,
operations, and system requirements are monitored throughout the service delivery and
lifecycle.
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
The acquirer has overall responsibility for ensuring that requirements meet the objectives for
the solution. The acquirer should clearly define requirements that can be incorporated into
supplier agreements and solutions. In some acquisitions, the acquirer assumes the overall role
of engineer, architect, or integrator for the solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
546
Level 1
RDM 1.1
Required Practice Information
Practice Statement
Record requirements.
Value
Addresses customer needs and expectations.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
547
Level 2
RDM 2.1
Required Practice Information
Practice Statement
Elicit stakeholder needs, expectations, constraints, and interfaces or connections, and confirm
understanding of the requirements.
Value
Ensures a deeper mutual understanding of the requirements and increases the likelihood that
the customer will be satisfied.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
548
• Traceable to source
• Achievable
• Tied to business value
• Identified as a priority by the customer
Evaluation and acceptance criteria can prevent:
• Inadequate verification
• Costly rework
• Customer rejection
Example Activities
Context Specific
Safety
Analyze requirements from the perspective of safety considerations. For example, the analysis
may include a review of subsystem interrelationships for:
• Compliance with specified Environment, Safety, and Occupational Health (ESOH) design
criteria
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
550
RDM 2.2
Required Practice Information
Practice Statement
Transform stakeholder needs, expectations, constraints, and interfaces or connections into
prioritized customer requirements.
Value
Ensures customer priorities are addressed to minimize the cost of rework during acceptance and
maximize customer satisfaction.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
551
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
552
Analyze stakeholder requirements to lay the foundation for the operational concept. To avoid
scope creep, develop criteria to designate appropriate channels or official sources from which to
receive requirements changes.
This results in more detailed and precise sets of requirements called “derived requirements”.
These requirements address all aspects of the deliverables including:
• Work products
• Services
• Processes
• Consumables
• Customer-provided resources and other resources
• Functionality and quality attribute needs of affected stakeholders
Derived requirements arise from:
• Constraints
• Consideration of issues implied but not explicitly stated in the stakeholder requirements
• Factors introduced by the selected:
o Unique business considerations
o Strategic priorities
o Industry market and technology trends
o Architecture
o Design
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
553
Context Specific
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Record data interface or connection specifications following established criteria and processes
for shared data, including traceability from creation through consumption, by all sources within
scope.
Safety
Requirements help identify and define all known hazards and their associated risks and enable
the elimination or reduction of safety risks to acceptable levels. Consider outcomes from safety
evaluation activities when identifying safety requirements. Establish traceability of safety
requirements to related hazards. Set a safety target for each safety requirement. For example,
the safety target should ensure the product’s risk is less than or equal to the acceptable risk,
based on the minimum acceptable safety tolerance limits. Ensure the safety target and product
risk information are carried forward into product design. Identify specific system safety
engineering requirements in the system specification including risk assessment and mitigation,
fault tolerance, acceptance, unique classifications and certifications, or any unique mishap
reduction needs, e.g., detection, isolation, annunciation, and recovery.
RDM 2.3
Required Practice Information
Practice Statement
Obtain commitment from project participants that they can implement the requirements.
Value
Ensures commitments are well understood to minimize delays and rework.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
554
Example Activities
Context Specific
Safety
Perform a safety impact analysis at any point within the solution lifecycle when requirements
change. Some safety groups and standards call these impact analyses System Hazard Analysis
(SHA). They are used to verify system compliance with Environment, Safety, and Occupational
Health (ESOH) requirements contained in system specifications and other relevant documents.
The impact analysis report includes system information for the solution, with hazard analysis
results incorporated, as appropriate. Contents and formats of the hazard information may vary
according to the individual requirements of the program. The detailed content for hazard
analysis results may include:
• Summary of the analysis results
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
555
Context: Use processes to identify, select, and manage suppliers and their agreements.
The acquirer negotiates with the customer and supplier before committing to a requirement
change. A requirements change can lead to modifications to supplier agreements. Ensure the
acquirer, supplier, and customer agree on these changes after appropriate negotiations. In
some acquisitions, the acquirer may represent, and act on behalf of the customer. Deliverables
may include impact assessments when a requirement change occurs.
RDM 2.4
Required Practice Information
Practice Statement
Develop, record, and keep updated bidirectional traceability among requirements and activities
or work products.
Value
Ensures consistency between requirements and the solution which increases the likelihood of
customer satisfaction.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
556
Example Activities
Context Specific
Safety
Context: Use processes to deliver, manage, and improve services to meet customer needs.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
557
Context: Use processes to identify, select, and manage suppliers and their agreements.
The acquirer maintains overall bidirectional traceability between customer requirements and the
solution. The supplier maintains bidirectional traceability between the solution, the solution
components, and the requirements defined in the supplier agreement. The acquirer verifies that
traceability. The supplier also maintains traceability from contractual requirements to derived or
additional requirements.
RDM 2.5
Required Practice Information
Practice Statement
Ensure that plans and activities or work products remain consistent with requirements.
Value
Minimizes rework by eliminating inconsistencies between requirements and related artifacts.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
558
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
559
Level 3
RDM 3.1
Required Practice Information
Practice Statement
Develop and keep requirements updated for the solution and its components.
Value
Ensures the built solutions meet the customers’ needs and expectations in a consistent way
across the organization.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
560
Context Specific
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
Selection of a technology brings with it additional requirements. For instance, use of electronics
requires additional technology-specific requirements such as electromagnetic interference limits.
RDM 3.2
Required Practice Information
Practice Statement
Develop operational concepts and scenarios.
Value
Enables customers to understand, confirm, and commit to how their requirements will be met.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
561
Example Activities
RDM 3.3
Required Practice Information
Practice Statement
Allocate the requirements to be implemented.
Value
Increases customer satisfaction by delivering a complete solution that meets requirements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
562
Example Activities
Context Specific
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
RDM 3.4
Required Practice Information
Practice Statement
Identify, develop, and keep updated interface or connection requirements.
Value
Reduces rework and risk due to incompatible internal and external interfaces or connections.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
564
Context Specific
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
565
RDM 3.5
Required Practice Information
Practice Statement
Ensure that requirements are necessary and sufficient.
Value
Avoids rework by only delivering necessary solutions.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
566
Example Activities
RDM 3.6
Required Practice Information
Practice Statement
Balance stakeholder needs and constraints.
Value
Increases stakeholder satisfaction while addressing conflicting requirements and constraints.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
567
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
568
Context Specific
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Analyze requirements and define required service system functionality and quality attributes to
balance the stakeholders’ needs, expectations, constraints, and interfaces or connections.
Depending on the service delivery context, consider factors such as feasibility, business
objectives and needs, cost constraints, end user types, potential market size, and procurement
strategy. Determine the parameters used to evaluate the effectiveness of service delivery based
on customer and end user input and the preliminary service delivery concept.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
569
Suppliers
Context: Use processes to identify, select, and manage suppliers and their agreements.
Perform a cost benefit analysis to assess trade-offs between requirements and the effect on the
overall acquisition strategy.
This analysis often focuses on evaluating requirements that address architecturally significant
quality attributes. For example, a combination of tight response time requirements and high
reliability requirements could be expensive to implement. Impact analysis provides the insight
for the acquirer to select a more cost-effective solution to balance cost, schedule, and
performance against risk and opportunity.
RDM 3.7
Required Practice Information
Practice Statement
Validate requirements to ensure the resulting solution will perform as intended in the target
environment.
Value
Avoids rework cost and increases satisfaction by delivering a solution that meets customer
expectations and needs.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
570
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
571
Intent
Identifies, records, analyzes, and manages potential risks or opportunities.
Value
Mitigates adverse impacts or capitalizes on positive impacts to increase the likelihood of
meeting objectives.
Explanatory PA Information
Practice Summary
Level 1
RSK 1.1 Identify and record risks or opportunities and keep them updated.
Level 2
RSK 2.1 Analyze identified risks or opportunities.
RSK 2.2 Monitor identified risks or opportunities and communicate status to
affected stakeholders.
Level 3
RSK 3.1 Identify and use risk or opportunity categories.
RSK 3.2 Define and use parameters for risk or opportunity analysis and handling.
RSK 3.3 Develop and keep updated a risk or opportunity management strategy.
RSK 3.4 Develop and keep updated risk or opportunity management plans.
RSK 3.5 Manage risks or opportunities by implementing planned risk or
opportunity management activities.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
572
Context Specific
Agile Development
As an empirical framework, agile, does not define practices and processes for risk and
opportunity management. Risk and opportunity management is performed using visual
information indicators, daily standups, short Sprints (iterations) with frequent feedback, and
close collaboration within teams and customers. Some agile teams reduce technical risk by
using “spikes,” or rapid prototypes performed early in the project. Risk and opportunity
management can be easily added to the planning, execution, and retrospective activities of
each Sprint, or selected Sprints.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
573
Level 1
RSK 1.1
Required Practice Information
Practice Statement
Identify and record risks or opportunities and keep them updated.
Value
Enables organizations to avoid or minimize the impact of risks and leverage potential
opportunities related to achieving objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
574
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
575
Level 2
RSK 2.1
Required Practice Information
Practice Statement
Analyze identified risks or opportunities.
Value
Increases the likelihood of achieving objectives by reducing the impact of risks or leveraging
opportunities.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
576
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
577
RSK 2.2
Required Practice Information
Practice Statement
Monitor identified risks or opportunities and communicate status to affected stakeholders.
Value
Enables timely corrective or leveraging actions to maximize the likelihood of achieving
objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
578
Level 3
RSK 3.1
Required Practice Information
Practice Statement
Identify and use risk or opportunity categories.
Value
Organizes risks or opportunities to focus attention on uncertainties that will impact the
achievement of objectives.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
579
RSK 3.2
Required Practice Information
Practice Statement
Define and use parameters for risk or opportunity analysis and handling.
Value
Maximizes the likelihood of cost-effectively achieving objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
580
Example Activities
Context Specific
Safety
Identify potential hazards associated with any subsystem interfaces and faults. Assess the risk
associated with an integrated system design, including software and subsystem interfaces.
Leverage safety functional groups to assess the severity and probability of safety risks
associated with each identified hazard to determine the potential negative impact of the hazard.
For example, consider potential impacts to:
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
581
• Personnel
• Facilities
• Equipment
• Operations
• Public
• Environment
• System or solution
If safety risks increase beyond tolerance limits, then identify short-term and long-term actions
to reduce the risk to an acceptable level. Depending on the product and hazard scenario, this
may take the form of operational limitations, usage restrictions, in-service tests/inspections, or
design/manufacturing changes.
RSK 3.3
Required Practice Information
Practice Statement
Develop and keep updated a risk or opportunity management strategy.
Value
Avoids problems and leverages opportunities to increase the likelihood of achieving objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
582
Example Activities
RSK 3.4
Required Practice Information
Practice Statement
Develop and keep updated risk or opportunity management plans.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
583
Value
Minimizes the impact of risks and maximizes the benefits of opportunities for achieving
objectives.
Generate leverage plans for selected high-priority opportunities. These plans describe how to
maximize the benefit of an opportunity.
Leveraging involves performing actions that maximize the benefits of an opportunity without
increasing the cost beyond the benefit. Typically, leveraging adds a relatively small amount of
cost while yielding a relatively high level of benefit.
Leveraging plans include:
• Cost benefit analyses
• Potential for success analyses
• Preparation activities
• Actions required to leverage opportunity
This activity can result in the discovery of new opportunities that can require replanning and
reassessment.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
585
Context Specific
Safety
Context: Use processes to identify, select, and manage suppliers and their agreements.
Consider all risks in planning activities. Identify risks or opportunities from multiple
perspectives, e.g., acquisition, technical, management, operational, supplier agreement,
industry, support, end user. Consider applicable regulatory and statutory requirements, e.g.,
safety and security, while identifying risks. As the work evolves, revise risks based on changed
conditions.
There are many risks associated with acquiring solutions through suppliers, e.g., the stability of
the supplier, the ability to maintain sufficient insight into the progress of their work, the
supplier’s capability to meet solution requirements, and the skills and availability of supplier
resources to meet commitments.
Analyze the process and solution level measures and associated thresholds to identify where the
organization is at risk of not meeting thresholds. These measures are key indicators of risk.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
587
RSK 3.5
Required Practice Information
Practice Statement
Manage risks or opportunities by implementing planned risk or opportunity management
activities.
Value
Reduces unforeseen occurrences that impair ability to achieve objectives and increases business
value by leveraging opportunities.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
588
Intent
Delivers services and manages the service delivery system.
Value
Increases customer satisfaction by delivering services that meet or exceed customer
expectations.
Explanatory PA Information
Practice Summary
Level 1
SDM 1.1 Use the service system to deliver services.
Level 2
SDM 2.1 Develop, record, keep updated, and follow service agreements.
SDM 2.2 Receive and process service requests in accordance with service
agreements.
SDM 2.3 Deliver services in accordance with service agreements.
SDM 2.4 Analyze existing service agreements and service data to prepare for
updated or new agreements.
SDM 2.5 Develop, record, keep updated, and follow the approach for operating
and changing the service system.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
589
SDM 2.6 Confirm the readiness of the service system to support the delivery of
services.
Level 3
SDM 3.1 Develop, record, keep updated, and use organizational standard service
systems and agreements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
590
Level 1
SDM 1.1
Required Practice Information
Practice Statement
Use the service system to deliver services.
Value
Improves customer satisfaction by delivering expected services.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
591
Level 2
SDM 2.1
Required Practice Information
Practice Statement
Develop, record, keep updated, and follow service agreements.
Value
Enhances customer satisfaction by aligning service delivery with their expectations.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
592
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
593
SDM 2.2
Required Practice Information
Practice Statement
Receive and process service requests in accordance with service agreements.
Value
Enhances service delivery to better meet customer expectations.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
594
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
595
SDM 2.3
Required Practice Information
Practice Statement
Deliver services in accordance with service agreements.
Value
Increases customer satisfaction by establishing a common understanding of the types and
levels of service delivery.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
596
Example Activities
SDM 2.4
Required Practice Information
Practice Statement
Analyze existing service agreements and service data to prepare for updated or new
agreements.
Value
Aligns service delivery capability and customer expectations as they change over time.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
597
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
598
SDM 2.5
Required Practice Information
Practice Statement
Develop, record, keep updated, and follow the approach for operating and changing the service
system.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
599
Value
Increases the likelihood that services and changes to them will meet customer expectations.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
600
Example Activities
SDM 2.6
Required Practice Information
Practice Statement
Confirm the readiness of the service system to support the delivery of services.
Value
Improves customer satisfaction by ensuring the readiness of the service system for operation.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
602
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
603
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
604
Level 3
SDM 3.1
Required Practice Information
Practice Statement
Develop, record, keep updated, and use organizational standard service systems and
agreements.
Value
Maximizes the availability and consistency of the service system to meet customer needs
efficiently and effectively.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
605
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
606
Intent
Develops and deploys standard services that are compatible with strategic business needs and
plans.
Value
Increases likelihood of meeting business objectives by aligning standard services with customer
needs.
Explanatory PA Information
Practice Summary
Level 1
STSM 1.1 Develop a list of current services.
Level 2
STSM 2.1 Develop, keep updated, and use descriptions of current services.
STSM 2.2 Collect, record, and analyze data about strategic needs and capabilities
for service delivery.
STSM 2.3 Develop, keep updated, and follow an approach for providing new or
changed services derived from strategic needs and capabilities.
Level 3
STSM 3.1 Develop, keep updated, and use the set of organizational standard
service descriptions and service levels.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
608
Level 1
STSM 1.1
Required Practice Information
Practice Statement
Develop a list of current services.
Value
Aligns offered services with customer and stakeholder needs and expectations.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
609
Level 2
STSM 2.1
Required Practice Information
Practice Statement
Develop, keep updated, and use descriptions of current services.
Value
Enables consistent service delivery that aligns with customer needs.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
610
STSM 2.2
Required Practice Information
Practice Statement
Collect, record, and analyze data about strategic needs and capabilities for service delivery.
Value
Identifies which needs and objectives have the greatest effect on increasing customer
satisfaction.
Example Activities
STSM 2.3
Required Practice Information
Practice Statement
Develop, keep updated, and follow an approach for providing new or changed services derived
from strategic needs and capabilities.
Value
Focuses resources on identifying services that best anticipate and meet market needs.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
613
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
614
Level 3
STSM 3.1
Required Practice Information
Practice Statement
Develop, keep updated, and use the set of organizational standard service descriptions and
service levels.
Value
Minimizes cost and achieves faster time to market for new or changed services.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
616
Intent
Selects qualified suppliers, establishes agreements, and manages the resulting supplier and
acquirer activities over the term of the agreement.
Value
Maximizes the probability of mutual success for acquirers and suppliers.
Explanatory PA Information
Practice Summary
Level 1
SAM 1.1 Identify, evaluate, and select suppliers.
SAM 1.2 Develop and record the supplier agreement.
SAM 1.3 Accept or reject the supplier deliverables.
SAM 1.4 Process supplier invoices.
Level 2
SAM 2.1 Identify evaluation criteria, potential suppliers, and distribute supplier
requests.
SAM 2.2 Evaluate supplier responses according to recorded evaluation criteria and
select suppliers.
SAM 2.3 Manage supplier activities as specified in the supplier agreement and
keep agreement updated.
SAM 2.4 Verify that the supplier agreement is satisfied before accepting the
acquired supplier deliverable.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
617
SAM 2.5 Manage invoices submitted by the supplier according to the supplier
agreements.
Level 3
SAM 3.1 Conduct technical reviews of supplier performance activities and selected
deliverables.
SAM 3.2 Manage supplier performance and processes based on criteria in the
supplier agreement.
Level 4
SAM 4.1 Select measures and apply analytical techniques to quantitatively manage
suppliers against their performance targets.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
618
Typically, these activities interactively support one another to gauge technical progress and
allow effective management of technical risks. Perform different levels of detailed analysis for
technical reviews to meet the acquirer’s requirements. Technical reviews with the supplier
involve measuring technical progress and the effectiveness of plans and requirements.
Technical reviews of the supplier should be performed with relevant processes, such as
requirements management, risk and opportunity management, configuration management, and
data management.
In some acquisitions, the acquirer assumes the role of overall architect or integrator for the
supplier deliverable. The acquirer needs to ensure that changes to requirements and supplier
agreements are acceptable given the constraints of the acquisition.
Context Specific
Security
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
619
Level 1
SAM 1.1
Required Practice Information
Practice Statement
Identify, evaluate, and select suppliers.
Value
Increases likelihood of selecting suppliers that meet the project’s parameters.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
620
SAM 1.2
Required Practice Information
Practice Statement
Develop and record the supplier agreement.
Value
Increases likelihood of meeting requirements when using suppliers.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
621
SAM 1.3
Required Practice Information
Practice Statement
Accept or reject the supplier deliverables.
Value
Increases the likelihood the supplier provides the agreed-on supplier deliverable.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
622
SAM 1.4
Required Practice Information
Practice Statement
Process supplier invoices.
Value
Maintains a good working relationship with suppliers while meeting agreements.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
623
Level 2
SAM 2.1
Required Practice Information
Practice Statement
Identify evaluation criteria, potential suppliers, and distribute supplier requests.
Value
Increases likelihood that selected suppliers consistently contribute to meeting business
objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
624
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
625
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
626
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
627
SAM 2.2
Required Practice Information
Practice Statement
Evaluate supplier responses according to recorded evaluation criteria and select suppliers.
Value
Matches selection of the best solution and supplier for meeting contractual requirements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
628
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
629
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
630
Context Specific
Security
The supplier selection team must evaluate and select suppliers, party components, or solutions
according to an established security selection criteria process. Develop supplier selection and
outsourcing processes jointly with input from Information Technology (IT), security,
engineering, and operations personnel to ensure comprehensive coverage.
Typical criteria that are found in a security selection process include:
• Information security management system, e.g., information security policies, data
protection, physical access, security incident handling processes, security tools and
environment
• Due diligence and background checks to determine if there are any risks associated with
implementing a supplier agreement
• Analysis of supplier processes used to build, operate, and support solutions, information
systems, solution components, and information system services
• Assessment of supplier training and experience in developing and delivering solutions,
solution components, or services with the required security capability. These reviews
provide organizations with increased levels of visibility into supplier activities during the
solution lifecycle to promote more effective supply chain risk and opportunity
management.
• Testing of supplier capabilities, e.g., through a pilot or prototype
• Supplier reviews to determine whether primary suppliers have security safeguards in place
and a practice for vetting subordinate suppliers, for example, second- and third-tier
suppliers and subcontractors. Questions that should be considered for the selection
process include:
o How do the suppliers manage their own personnel? Consider personnel in supplier
companies that have access to the data, systems, or facilities of their customers.
o How do the vendors manage their service providers? Any service provider with access
to company information poses a potential cyber risk
o How do the vendors manage their products and software? Consider solutions with
embedded Information Technology (IT) and Application Programming Interface (API)
that integrate into customer’s systems
Consider possible introduction of threats and vulnerabilities based on acquisition types. For
example, developed versus purchased solutions result in different security implications.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
631
SAM 2.3
Required Practice Information
Practice Statement
Manage supplier activities as specified in the supplier agreement and keep agreement updated.
Value
Maximizes the likelihood that the supplier will fulfill acquirer expectations.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
632
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
633
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
634
Context Specific
Security
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
635
Ensure that all activities identified in contracts contain standard security terms, conditions, and
tailoring options that must be implemented to meet commitments in the supplier agreement.
Ensure the Statement of Work (SOW) addresses the following security related aspects:
• Security governance
• Manufacturing and operational security
• Software engineering and architecture
• Asset management
• Incident management
• Transportation security
• Physical and environmental security
• Personnel security
• Information protection
• Sub-tier supplier and partner security, e.g., service providers and cloud
Establish measurement objectives relevant to managing secure suppliers, including a focus on
understanding the effects of supplier performance on security-related operational and financial
performance. Measurement objectives for the supplier enable tracking of the security-related
service-level expectations recorded in the supplier agreement. Collect supplier measurement
data to provide information in support of managing security aspects of the supplier agreements.
Examples of measures to monitor security for suppliers include:
• Number of threats and vulnerabilities discovered in the supplier’s solutions or solution
components
• Types of threats and vulnerabilities discovered in the solutions or solution components
• Number of supplier work product security evaluations completed, planned versus actual
• Number of supplier security process evaluations completed, planned versus actual
• Number of security incidents, by category, severity, and impact in the supplier’s solution
or solution components
SAM 2.4
Required Practice Information
Practice Statement
Verify that the supplier agreement is satisfied before accepting the acquired supplier
deliverable.
Value
Decreases risk of accepting an unsatisfactory supplier deliverable and confirms the supplier
agreement is satisfied before acceptance.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
636
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
637
Context Specific
Safety
Accept safety-related solutions and solution components and identify hazards that could arise
from accepting and integrating the solution or solution component in the environment.
Methodologies to ensure what was requested is what was received include acceptance reviews,
tests, verification and validation activities, configuration audits, and safety evaluations. Safety
evaluations are a common and effective acceptance methodology, conducted to uncover
hazards.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
638
The supplier agreement specifies the acceptance criteria for work products, including
parameters of safety evaluations and risk remediation processes.
Security
Accept security-related solutions and solution components and identify threats and
vulnerabilities that could arise from accepting and integrating the solution or solution
component in the environment.
Methodologies to ensure what was requested is what was received include acceptance reviews,
tests, verification and validation activities, configuration audits, and security evaluations.
Security evaluations are a common and effective acceptance methodology, conducted to
uncover vulnerabilities, e.g., malicious code, malicious processes, defective software, and
counterfeit components.
The supplier agreement specifies the acceptance criteria for work products, including
parameters of security evaluations and flaw remediation processes.
SAM 2.5
Required Practice Information
Practice Statement
Manage invoices submitted by the supplier according to the supplier agreements.
Value
Maintains a good business relationship between the acquirer and supplier.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
640
Level 3
SAM 3.1
Required Practice Information
Practice Statement
Conduct technical reviews of supplier performance activities and selected deliverables.
Value
Improves the acquirer’s confidence in the ability of the supplier to provide the right supplier
deliverable at the right time with the right quality.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
641
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
642
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
643
Context Specific
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
Perform technical reviews throughout the work lifecycle to gain confidence that the
requirements, architecture, and technical supplier deliverables provide the required capability.
These reviews should be integrated with risk and opportunity management activities.
Types of technical reviews that can be conducted include:
• Integrated Baseline Review (IBR)
• Technology Readiness Assessment (TRA)
• System Requirements Review (SRR)
• Preliminary Design Review (PDR)
• Critical Design Review (CDR)
• Test Readiness Review (TRR)
• Production Readiness Review (PRR)
• Operational Test Readiness Review (OTRR)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
644
Depending on where in the acquisition lifecycle the highest risks occur, the acquirer selects
technical supplier deliverables for analysis to reduce those risks. Select analysis methods based
on the type of technical solution being analyzed and the nature of the risk. For example:
• In the design phases of the solution, quality attribute models, simulations, prototypes, or
pilots can be used to provide additional information about the properties of the potential
design solutions to aid in their evaluation and selection. Simulations can be particularly
useful for complex systems.
• In the implementation phase, the acquirer can examine a supplier deliverable to
determine if it is ready for production and if the supplier has accomplished adequate
production planning. The analysis determines if production or production preparations
pose unacceptable risks that might compromise cost, schedule, performance, or other
established objectives. The acquirer might evaluate the full production configured supplier
deliverable to determine if it correctly and completely implements all contractual
requirements. The acquirer could also determine whether the traceability of the final
contractual requirements to the final production configured solution has been kept
updated.
The acquirer should select a supplier’s design to analyze the adequacy and completeness of
that design. The acquirer may also confirm that:
• The selected design adheres to applicable design standards and criteria
• The design adheres to allocated functional and quality attribute requirements
• The resulting supplier deliverable will perform appropriately in its target environment
• The solution baseline enables hardware fabrication and software coding to proceed with
proper configuration management
• Adequate production processes and measures are in place for the work to succeed
• The design can be implemented within the production budget
During implementation, the supplier implements the design reviewed and analyzed by the
acquirer by developing supplier deliverable components, integrating those components,
performing unit and integration testing of the solution, and developing operational and end user
documentation.
The acquirer can require delivery of verification results from the supplier of the technical
solution, as applicable. The suppliers can perform verifications in an iterative fashion,
concurrently with the acquirer’s technical analyses, or the supplier can be required to perform
follow-on verifications of technical solutions.
Typical expectations for verification addressed by the supplier agreement may include:
• List of deliverables and other work products that must be verified by the supplier
• Applicable standards, procedures, methods, and tools
• Criteria for verification of supplier work products
• Measurements to be collected and provided by the supplier regarding verification activities
• Reviews of supplier verification results and corrective actions with the acquirer
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
645
SAM 3.2
Required Practice Information
Practice Statement
Manage supplier performance and processes based on criteria in the supplier agreement.
Value
Maximizes the probability that supplier’s performance will meet acquirer’s needs, while
minimizing risk.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
646
The acquirer decides on the necessary level of managing depending on the level of risk incurred
when the supplier’s process is not performed correctly. Managing processes can range from
reviewing supplier performance data to conducting on-site appraisals of the supplier’s
processes. Analyzing selected processes involves compiling and analyzing supplier process data
to determine whether there are serious risks or issues.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
647
Level 4
SAM 4.1
Required Practice Information
Practice Statement
Select measures and apply analytical techniques to quantitatively manage suppliers against
their performance targets.
Value
Enhances supplier performance by focusing attention on the most critical areas for success.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
648
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
649
Intent
Designs and builds solutions that meet requirements.
Value
Provides a cost-effective design and solution that meets customer requirements and reduces
rework.
Explanatory PA Information
Practice Summary
Level 1
TS 1.1 Build a solution to meet requirements.
Level 2
TS 2.1 Design and build a solution to meet requirements.
TS 2.2 Evaluate the design and address identified issues.
TS 2.3 Provide guidance on use of the solution.
Level 3
TS 3.1 Develop criteria for design decisions.
TS 3.2 Develop alternative solutions for selected components.
TS 3.3 Perform a build, buy, or reuse analysis.
TS 3.4 Select solutions based on design criteria.
TS 3.5 Develop, keep updated, and use information needed to implement the
design.
TS 3.6 Design solution interfaces or connections using established criteria.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
650
Context Specific
Agile Development
Agile teams build designs incrementally, “emergent design” after developing functionality during
each Sprint. Emergent design can introduce risk when developing critical, complex, or large
systems since design defects introduced early can be expensive to correct later.
It is typical for agile teams to demonstrate less definition, clarity, and recording of designs as
compared to more traditional software development teams. Extensive use of white boards,
cameras, and other temporary mediums are common among agile teams for recording designs.
Design activities provide a foundation to ensure that the design is developed, usually
incrementally, prior to implementation, and the results are recorded to:
• Identify minimal viable product
• Efficiently share technical information with stakeholders
• Mitigate technical risks
• Peer review to find defects early
• Support maintenance
Table TS-1: Design Activities in an Agile Project shows where design activities are addressed in
a typical agile project.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
651
Time is allocated to each Sprint to perform design practices. Design documentation can be in
the form of a picture and bulleted design notes stored in the same tools used to store user
stories or epics and other project data.
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Establish and keep updated architecture standards and criteria which address data
considerations, e.g., data representations, data lineage, data security, data sovereignty, data
access, data privacy, and data provisioning. Three key concepts to address within architecture
standards include:
• Data representation, e.g., business terms, logical, physical, XML, modeling standards,
model management, data resiliency
• Data access, e.g., common data services, applicable information exchange standards,
standard methods for point-to-point data transit and bulk data movement, data
integration standards for safety and emergencies, data security, data privacy
• Data distribution, e.g., internal and external data provisioning such as distribution control
and management, data scalability, requesting and approving access, access restrictions,
distribution models for push and pull, publish and subscribe, ownership and authority,
regulatory authority and audit
Evaluate design decisions based on architecture standards, e.g., platform, technology, tools, to
ensure resulting solutions meet business needs for managing data.
DevSecOps
Context: DevSecOps is a mindset, a culture, and set of practices that fosters close
cooperation between development, operations, and security to plan, develop,
test, deploy, release, and keep updated a secure solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
652
Consider safety concerns, constraints, hazards, and events throughout all aspects of product or
solution design. Address safety needs like any other requirement or criteria in the design of the
entire solution, e.g., components, interfaces, connections, and integration.
Security
Most aspects of security are addressed multiple times within a solution design, but software
design and development in particular can introduce many security vulnerabilities. However, few
software design methodologies or lifecycles explicitly address software security in detail, so
secure software design practices must be added to each element of the design to ensure that
the software being developed is well-secured. For more information, refer to NIST Special
Publication 800-218, Secure Software Development Framework.
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
It is important to remember that in some simple service systems the components are just the
people and the processes they perform.
Service system development focuses on the following activities:
• Collecting, coordinating, analyzing, validating, and allocating stakeholder requirements for
service systems
• Evaluating and selecting from alternative service system solutions that meet requirements
• Designing, building, or composing (as needed), integrating, and recording service systems
that meet requirements
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
653
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
654
Level 1
TS 1.1
Required Practice Information
Practice Statement
Build a solution to meet requirements.
Value
Provides the customer with a solution that implements the requirements and reduces the cost
of rework.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
655
Level 2
TS 2.1
Required Practice Information
Practice Statement
Design and build a solution to meet requirements.
Value
Provides a structure to guide the implementation of a cost-effective solution that meets
requirements and avoids rework.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
657
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
658
Context Specific
Safety
Consider security when developing design solutions, including design approaches, design
concepts, and preliminary designs. Apply security design principles, e.g., Principle of Least
Privilege (PoLP) and definition of trust boundaries, when developing solution designs. Evaluate
design solutions and technologies against security requirements.
Consider security risk assessments and review external agency threat lists to support the
decision-making process when designing solutions. Evaluate threats and vulnerabilities for each
solution alternative and use them in the decision process. Baseline and control all these
technologies and decisions in a secure environment.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
659
TS 2.2
Required Practice Information
Practice Statement
Evaluate the design and address identified issues.
Value
Reduces cost by minimizing defects and ensuring that the solution meets requirements.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
660
TS 2.3
Required Practice Information
Practice Statement
Provide guidance on use of the solution.
Value
Supports usability and maintainability of the solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
661
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
662
Level 3
TS 3.1
Required Practice Information
Practice Statement
Develop criteria for design decisions.
Value
Increases the likelihood of producing a robust design that meets customer requirements and
constraints.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
663
Context Specific
Data
Context: Use processes to incorporate data management best practices as an integral part
of the solution.
Address data needs, constraints, and requirements within design criteria. Data criteria should
include considerations of governance, privacy, data security, regulations, access, and other
controls.
Security
Address security needs, constraints, and requirements within design criteria. Design criteria
should include previous known design flaws. Typical security design flaws may include lack of:
• Threat modeling
• Secure design patterns
• Secure design principles
• Reference architecture
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
664
• System, operational, and data administration and management, e.g., Single Sign-On
(SSO), Multi-factor Authentication (MFA)
TS 3.2
Required Practice Information
Practice Statement
Develop alternative solutions for selected components.
Value
Ensures that the most beneficial solution is identified and selected.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
665
TS 3.3
Required Practice Information
Practice Statement
Perform a build, buy, or reuse analysis.
Value
Ensures that the most effective way to implement the design has been chosen.
Example Activities
TS 3.4
Required Practice Information
Practice Statement
Select solutions based on design criteria.
Value
Ensures the most efficient and effective solution is selected to meet the customer’s
requirements within cost, schedule, and performance constraints.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
667
TS 3.5
Required Practice Information
Practice Statement
Develop, keep updated, and use information needed to implement the design.
Value
Avoids rework by ensuring that solution implementers have the information they need to
develop a solution that meets the customer’s requirements.
Example Activities
TS 3.6
Required Practice Information
Practice Statement
Design solution interfaces or connections using established criteria.
Value
Reduces the likelihood of failures and rework during testing and operations and maximizes
performance.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
669
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
670
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
671
Intent
Confirms selected solutions and components meet their requirements, and demonstrates
selected solutions and components fulfill their intended use in their target environment.
Value
Increases the likelihood that the solution will satisfy the customer.
Explanatory PA Information
Practice Summary
Level 1
VV 1.1 Perform verification to ensure the requirements are implemented and
record and communicate results.
VV 1.2 Perform validation to ensure the solution will function as intended in its
target environment and record and communicate results.
Level 2
VV 2.1 Select components and methods for verification and validation.
VV 2.2 Develop, keep updated, and use the environment needed to support
verification and validation.
VV 2.3 Develop, keep updated, and follow procedures for verification and
validation.
Level 3
VV 3.1 Develop, keep updated, and use criteria for verification and validation.
VV 3.2 Analyze and communicate verification and validation results.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
672
Context Specific
Agile Development
Agile teams typically define a definition of done for each user story or requirement. Work is
performed until the definition of done is met for each user story. Acceptance from the product
owner is obtained during the Sprint review using defined acceptance criteria.
An agile team considers testing and demonstrations to address how the user will operate the
solution in the intended environment. Recorded results show the status of verification and
validation activities and provide an opportunity for analysis. Refer to Table VV-1: Example Agile
Verification and Validation Activities for examples of agile verification and validation activities.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
673
Safety
Ensure appropriate techniques are considered for verifying and validating safety requirements
and recorded safety targets. Consider the following:
• Verification of components and the product using simulation
• Testing techniques requiring testing to a specified level of structural, data, or path
coverage
• Use of field-use data, including reference sites and service histories
• Prototype testing
• Stress testing
• Accelerated service-life testing
• Test cases and scripts aligned to potential points of operational failure
• Use of mathematical models to validate high safety assurance cases, e.g., simulations to
verify medical device regulations
These activities rely on other verification and validation to demonstrate that the product
performs its specified function in the intended-use environment and that unintended
functionality is not present.
If new hazards are discovered or known hazards are determined to have a higher risk category
than previously assessed, ensure the risk is formally accepted by the approving authority.
If it is not possible to eliminate an identified hazard, then reduce the associated risk to a level
that is deemed acceptable to the end user or approving authority.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
674
Security
Incorporate security considerations into all aspects of verification and validation activities, e.g.,
environment setup, test procedures, test cases, and installation checklists. Ensure that
verification and validation environments and technologies meet defined security standards.
Plan for what security work products should be selected for verification and validation activities.
For example, select the security requirements, designs, and prototypes that are the best
predictors of how well the solution or solution components satisfies end user security needs.
Perform verification and validation activities early, e.g., concept and exploration phases, and
incrementally throughout the solution lifecycle, including through the transition to operations
and retirement. Types of verification and validation activities to consider include:
• Penetration testing
• Fuzz testing
• Security focused peer reviews
• Tool-based security code reviews
• Static code analysis
• Dynamic analysis
• Security threat analysis reviews
• Simulations
• White, gray, and black box testing
• Review use of tags, cryptographic hash verifications, or digital signatures
During verification and validation activities, include security representatives to participate and
ensure the security risks, threats, and vulnerabilities have been evaluated, and that security
requirements are being met. Ensure management accepts any residual security risks and
mitigations associated with the solution. If the risk or mitigation is deemed unacceptable, then
the designed solution and associated technologies must be reworked.
When performing verification and validation activities, consider a dedicated test environment to
control the overall security testing parameters. The environment should reflect the intended
operational environment and if operational data is used during verification or validation, remove
or sanitize sensitive information, e.g., Personal Identifiable Information (PII), Personal Health
Information (PHI), and user-specific passwords. As changes are made during security
verification and validation, track solutions tested and reviewed for security purposes and place
them under an appropriate level of configuration control. Ensure compatibility among the
interfaces or connections by considering how to integrate solutions with the management of
internal and external interfaces or connections of secure solutions and solution components.
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
675
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
676
Level 1
VV 1.1
Required Practice Information
Practice Statement
Perform verification to ensure the requirements are implemented and record and communicate
results.
Value
Reduces the cost of addressing requirements issues and increases customer satisfaction.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
677
VV 1.2
Required Practice Information
Practice Statement
Perform validation to ensure the solution will function as intended in its target environment and
record and communicate results.
Value
Increases the likelihood that the result provides the right solution to meet customer
expectations.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
678
Level 2
VV 2.1
Required Practice Information
Practice Statement
Select components and methods for verification and validation.
Value
Produces solutions that meet or exceed customer expectations and needs.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
679
Context Specific
Development
Context: Use processes to develop quality products and services to meet the needs of
customers and end users.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
681
Services
Context: Use processes to deliver, manage, and improve services to meet customer needs.
Service system components selected for verification and validation should cover:
• Services delivered in accordance with service delivery approaches and agreements
• Changes managed for the service delivery system
• Receipt and processing of service requests
• Sustainment of service delivery performance when changes occur
• Service agreements that describe what a service provider will deliver to the customer, and
includes:
o Service level and availability targets
o Responsibilities of the service provider, customer, and end user based on their process
role
o Communications channels and feedback mechanisms
Methods used for verification and validation of service system components may include:
• Prototyping
• Piloting
• Service delivery walk throughs
• Peer review
• User acceptance testing
VV 2.2
Required Practice Information
Practice Statement
Develop, keep updated, and use the environment needed to support verification and validation.
Value
Minimizes project delays by ensuring that verification and validation environments are ready
when needed.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
682
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
683
VV 2.3
Required Practice Information
Practice Statement
Develop, keep updated, and follow procedures for verification and validation.
Value
Reduces costs for performing the activities and strengthens more predictable performance.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
684
Level 3
VV 3.1
Required Practice Information
Practice Statement
Develop, keep updated, and use criteria for verification and validation.
Value
Minimizes waste by ensuring the verification and validation activities focus on critical needs.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
685
VV 3.2
Required Practice Information
Practice Statement
Analyze and communicate verification and validation results.
Value
Improves verification and validation effectiveness over time.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
686
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
687
Intent
Aligns the workforce to the organization’s business objectives and empowers individuals and
workgroups to perform their roles efficiently and effectively.
Value
Enhances the capability of the workforce to contribute to the success of the business.
Explanatory PA Information
Practice Summary
Level 1
WE 1.1 Identify and allocate commitments to workgroups.
Level 2
WE 2.1 Record and allocate work assignments and keep them updated
based on an assessment of qualifications, skills, and related
criteria.
WE 2.2 Manage the transition of individuals in and out of roles and
workgroups.
WE 2.3 Develop, keep updated, and use communication and coordination
mechanisms within and across workgroups.
Level 3
WE 3.1 Develop, keep updated, and use workforce competencies to build
organizational capabilities and achieve objectives.
WE 3.2 Develop, keep updated, and use an organizational structure and
approach to empower workgroups.
WE 3.3 Develop, keep updated, and use organizational compensation
strategies and mechanisms.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
688
The organization identifies its business objectives and determines what competencies are
required to achieve them. The resultant competency information is used to manage the
workforce to meet the performance needs of the organization.
This includes:
• Aligning the capability of the workforce with organizational objectives
• Designing an organizational structure that facilitates workforce empowerment
• Managing personnel in an orderly manner
• Establishing communication and coordination mechanisms within and amongst
workgroups
• Empowering workgroups with the authority and accountability to make decisions
• Establishing and using compensation strategies that motivates continuous performance
improvement
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
689
Level 1
WE 1.1
Required Practice Information
Practice Statement
Identify and allocate commitments to workgroups.
Value
Increases the focus of workgroups on critical business outcomes.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
690
Level 2
WE 2.1
Required Practice Information
Practice Statement
Record and allocate work assignments and keep them updated based on an assessment of
qualifications, skills, and related criteria.
Value
Increases likelihood of workgroups achieving assigned tasks.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
691
WE 2.2
Required Practice Information
Practice Statement
Manage the transition of individuals in and out of roles and workgroups.
Value
Accelerates the orientation of individuals to fulfill their responsibilities productively.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
692
Example Activities
WE 2.3
Required Practice Information
Practice Statement
Develop, keep updated, and use communication and coordination mechanisms within and
across workgroups.
Value
Increases productivity through effective information sharing amongst individuals and
workgroups.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
694
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
695
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
696
Level 3
WE 3.1
Required Practice Information
Practice Statement
Develop, keep updated, and use workforce competencies to build organizational capabilities and
achieve objectives.
Value
Maximizes consistent performance of the workforce.
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
697
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
698
WE 3.2
Required Practice Information
Practice Statement
Develop, keep updated, and use an organizational structure and approach to empower
workgroups.
Value
Provides workgroups with the authority and accountability to achieve outcomes effectively.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
699
Example Activities
WE 3.3
Required Practice Information
Practice Statement
Develop, keep updated, and use organizational compensation strategies and mechanisms.
Value
Motivates the workforce to consistently support achievement of business results.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
700
Example Activities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
701
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
2
ISACA owns all copyright, trademark, and all other intellectual property rights in the CMMI
Content. You may not reproduce, duplicate, copy, sell, resell, assign, transfer, create derivative
works of, incorporate in any software or tool, or commercially exploit any portion of the CMMI
Content, without express written permission by ISACA. You are solely responsible for your use
of the CMMI Content, and agree to defend, indemnify and hold ISACA harmless from any
claims, liability, damages, costs or expenses incurred by ISACA arising from your use of the
CMMI Content.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
3
Table of Contents
Appendix A: Core Practice Areas, Categories, and Capability Areas ....................... 5
Introduction ..................................................................................................................... 5
Category: Doing .............................................................................................................. 8
Category: Managing ...................................................................................................... 10
Category: Enabling ........................................................................................................ 13
Category: Improving ...................................................................................................... 16
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
4
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
5
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
6
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
7
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
8
Category: Doing
This Category includes CAs for producing, buying, and delivering quality solutions.
Capability Area:
Ensuring Quality
This CA includes PAs important to both quality assurance and quality control.
Capability Area:
Engineering and Developing Products
This CA focuses on engineering, developing, and delivering products and product components.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
9
Capability Area:
Delivering and Managing Services
This CA focuses on developing the capability to deliver agreed upon services, deploying new or
modified services, and establishing a portfolio of services.
Capability Area:
Selecting and Managing Suppliers
This CA establishes the buyer and supplier partnership to ensure that quality solutions are
delivered to the customer and end user.
Supplier Agreement Management involves evaluating and
selecting suppliers, establishing supplier agreements, managing the
fulfillment of supplier agreements, and managing the delivery of
solutions from suppliers.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
10
Category: Managing
This Category includes CAs for planning and managing work and the workforce.
Capability Area:
Planning and Managing Work
This CA involves determining the amount of work that needs to be done, planning and
scheduling the work, and then ensuring the work is being done in accordance with the plans
and schedules. It also confirms that resources are adequate to meet the plan and schedule.
Estimating includes forecasting the size, effort, and cost for the
work required to develop, acquire, or deliver the solution.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
11
Capability Area:
Managing Business Resilience
This CA addresses the ability to anticipate, prepare for, and respond to interruptions in order to
continue operations. It involves identifying, evaluating, prioritizing, and handling risks. It
promotes timely and effective resolution and prevention of interruptions to minimize the impact
on business operations and confirms the best possible level of service quality. It addresses
defining a minimum set of critical functions that must continue in the event of significant
interruption of normal operations.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
12
Capability Area:
Managing the Workforce
This CA addresses the way an organization develops, retains, aligns, and empowers the
personnel needed to perform current and future work.
Enabling Virtual Work includes identifying, assessing, and
addressing virtual, remote, and hybrid work needs and constraints in
a systematic and consistent manner. A virtual work approach
addresses personnel, process, technical, and other considerations,
such as security.
Organizational Training provides a strategy and capability for
training to support the organization’s strategic business objectives,
meet common tactical needs, and deliver training across the
organization.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
13
Category: Enabling
This Category focuses on analyzing causes, making decisions, maintaining integrity of work
products and data, and communicating to stakeholders.
Capability Area:
Managing Data
This CA addresses the importance of organizing and using data within the bounds of business
requirements and verifying its integrity for effective decision making and consistent
communications to achieve target performance results.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
14
Capability Area:
Supporting Implementation
This CA involves identifying and addressing the causes of selected outcomes, creating a
decision-making approach and structure, maintaining the integrity of work products, and
fostering communication and coordination among stakeholders.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
15
Capability Area:
Managing Security and Safety
This CA describes best practices for holistically defining security and safety strategies,
approaches, activities, and functions necessary to protect the organization’s entire ecosystem,
including personnel, resources, and information. It involves identifying and evaluating security
and safety needs and constraints, prioritizing and planning relevant approaches to address
those needs and constraints, responding to and preventing harmful events and incidents, and
protecting and defending against safety incidents and security threats and vulnerabilities.
Managing Security and Safety (MSS) describes the capabilities needed to:
• Prepare: Define approaches for organizational preparedness and readiness to address
safety and security needs and constraints
• Investigate: Analyze, assess, and learn from safety or security events and incidents
• Monitor: Identify and respond to events and incidents that are potentially harmful to the
organization or solution, on a continuous basis
• Protect and Defend: Take steps and actions against current and future potentially harmful
impacts on the organization or solution to either avoid or minimize negative effects
• Preempt and Prevent: Conduct advanced analysis to anticipate and avoid harmful internal
or external threats, activities, or vulnerabilities caused by people, processes, or systems
• Review and Evaluate: Determine the effectiveness of security and safety approaches and
make necessary improvements
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
16
Category: Improving
This Category involves developing, managing, and improving processes and their related assets
with a primary focus on improving organizational performance.
Capability Area:
Improving Performance
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
17
Capability Area:
Sustaining Habit and Persistence
This CA verifies that processes are habitually and persistently performed and sustained
throughout the organization, and effectively contribute to meeting business performance
objectives.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
18
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
19
Figure 30. CMMI Maturity Level Requirements depicts the requirements based on the core
Practice Areas and domains.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
20
Within each maturity level, performance has been built in to allow organizations to easily
identify performance improvement needs, and then use the model practices to improve.
Maturity levels build on each other and cannot be skipped. CMMI appraisals are conducted to
verify achievement of CMMI practice group levels to determine and rate maturity levels and
capability levels.
The following list of maturity levels describes the evolutionary path, based on the practice
group levels, as required in the group of predefined core PAs, Figure 31. Core Practice Areas,
and one or more selected domains, Figure 32. Domain-Specific Practice Areas:
• Maturity Level 1: achieve Practice Group Level 1 in all targeted PAs
• Maturity Level 2: achieve Practice Group Level 2 in all targeted PAs
(Practice Group Level 1 is subsumed in Practice Group Level 2)
• Maturity Level 3: achieve Practice Group Levels 2 and 3 in all targeted PAs
• Maturity Level 4: achieve Practice Group Levels 2, 3, and 4 in all targeted PAs
• Maturity Level 5: achieve Practice Group Levels 2, 3, 4, and 5 in all targeted PAs
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
21
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
22
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
23
Capability Levels
Capability levels apply to an organization’s performance and process improvement
achievements in individual PAs. Within PAs, the practices are organized into a set of practice
group levels labeled Level 1 to Level 5 which provide a path to performance improvement. Each
practice group level builds on the previous levels by adding new functionality or sophistication
resulting in increased capability. Figure 33. Evolutionary View of Practice Group Levels in
Practices shows the evolutionary characteristics of the capability level for practices.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
24
All capability level ratings must include II and GOV. The maximum capability level a PA can
achieve is Capability Level 3. Capability level ratings can be assigned to a single PA, if II and
GOV are included in the rating. For example, an organization could achieve a Capability Level 3
for the PLAN PA if the practice group levels for the practices in the PLAN, II, and GOV PAs up to
Practice Group Level 3 are achieved. Figure 34. Capability Level Rating Progression – CM
Example shows the required Practice Groups (PG) for the CM PA to achieve Capability Level 3.
For more information on determining capability levels and ratings, refer to the MDD.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
25
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
26
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
27
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
28
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
29
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
30
Appendix E: Glossary
Glossary Terminology Context
Certain words in the CMMI Performance Solutions ecosystem have special meaning. When
applicable, that term is included in the glossary. Otherwise, the common English meaning of
words, e.g., Webster or Oxford dictionary, applies.
Terms appearing in the CMMI glossary take on the characteristics of the content where they
appear in the model or Method Definition Document (MDD). For example, if a term is used in
required information, it is required in that context, or if it appears in the explanatory
information, it is an explanatory term in that context.
Glossary Terms
5-Whys
A technique used to determine an issue's potential underlying causes. This technique involves
asking the question "Why?" repeatedly until the cause is identified.
acceptance criteria
Criteria that a solution must satisfy to be accepted by customers.
acceptance testing
Testing performed to determine whether a customer, acquirer, user, or their designee should
accept a solution.
acquirer
The stakeholder who obtains a solution from a supplier. (Refer to “affected stakeholder.”)
acquisition
Obtaining solutions by establishing and executing supplier agreements. (Refer to “supplier
agreement.”)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
31
affected stakeholders
People impacted by a process, activity, work product, or decision.
agile
An approach to project management or delivery methodology in which the customer is
intimately involved in the project, tasks are divided into short phases of work, and there is
frequent reassessment and adaptation of plans.
agile development
This is a CMMI context-specific tag reserved for identifying unique information for agile
development projects. It is a framework for managing work using an iterative approach. It is
designed for small teams who break their work into actions that can be completed within time-
boxed iterations, e.g., two-weeks, and track progress and replan in 15-minute stand-up
meetings. (Refer to “agile.”)
allocated requirement
Requirement that results from levying all or part of a higher-level requirement on a solution's
lower-level design component. Requirements can be assigned to logical or physical components
including people, consumables, delivery increments, or the architecture.
appraisal
An examination of one or more processes by a trained team using a reference model as the
basis for determining, at a minimum, strengths, and weaknesses.
architecture
The set of structures that need to be considered to establish a solution. These structures are
comprised of smaller components or elements, relationships among those structures and
elements, and the properties of both. (Refer to "functional architecture.”)
base measure
A base measure is functionally independent of other measures and cannot be expressed in
other terms. A base measure is defined in terms of an attribute and the method for quantifying
it. (Refer to “derived measure.”)
baseline
A set of specifications or work products that:
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
32
• For maturity levels, the Benchmark Model View is a predefined set of core and domain-
specific Practice Areas, and their levels, for the purposes of conducting Benchmark
Appraisals or Sustainment Appraisals.
• For capability levels, the Benchmark Model View may be either a predefined view, or a
selection of Practice Areas or Capability Areas and their levels that meet the organization’s
business needs and performance objectives.
bidirectional traceability
An association that enables the ability to trace in either direction between logical entities, e.g.,
from requirements to design to code to test to the end solution, or from customer requirements
to product component requirements. (Refer to “requirements traceability” and “traceability.”)
business performance
The accomplishment of a given capability or task measured against preset known objectives,
including, but not limited to, quality, cost, speed, accuracy, and completeness for delivery of a
solution to a customer. In the CMMI, the term "business performance" refers to performance at
the business or organizational level; it can be both organizational-specific or aggregated from
the project-level. For example, collect measurement and performance data at the project-level
and aggregate data to enable organizational performance analysis at the business level. (Refer
to “process performance.”)
capability
Capabilities are typically organizational level skills, abilities, and knowledge embedded in people,
processes, infrastructure, and technology. Capabilities are what an organization needs to
implement its business model or fulfill its mission and achieve measurable business results.
capability level
The highest practice group level for a given Practice Area at which the intent and value of all
practices is met. Capability levels are cumulative and for each practice group level met, all
lower-level practice groups must also be met. Available capability level ratings include:
Capability Level 1 (CL1), Capability Level 2 (CL2), and Capability Level 3 (CL3). To achieve a
target capability level:
• All practice groups in the Practice Area must be rated at the target level
• II and GOV practice groups must also be rated up to and including that same target level
Capability Maturity Model Integration (CMMI)
An integrated model of best practices that enable businesses to improve performance by
improving their processes. Product teams developed the model with global members from
across industry. The CMMI provides a best-practice framework for building, improving, and
sustaining process capability and performance. (Refer to “CMMI Performance Solutions
ecosystem.”)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
33
capable process
A stable process able to meet the quality and process performance objectives set for it. The
process variation is within set specification limits. (Refer to “stable process.”)
category
Categories are logical groups or types of views of related Capability Areas that address common
problems encountered by businesses when producing or delivering solutions.
causal analysis
An evaluation technique used to identify causes and their relationship to effects. (Refer to “root
cause analysis.”)
change management
A methodical approach for controlling and implementing changes in a planned and structured
manner.
coaching
Using an experienced, trained, and capable individual to increase the knowledge, skills, and
process abilities of individuals or workgroups for a specific role, skill, or subject matter to
achieve an identified outcome.
compensation
Salary, wages, rewards, or recognition that may include benefits offered to employees for skills,
contributions, and work performed.
configuration audit
An audit conducted to verify that a configuration item or a collection of configuration items in a
baseline conforms to a baseline description. (Refer to “audit” and “configuration item.”)
configuration baseline
The configuration information formally designated at a specific time during a solution or solution
component’s life. Configuration baselines plus approved changes constitute the current
configuration information. (Refer to “product lifecycle.”)
configuration control
The process of managing changes to a formal configuration baseline. The process consists of
evaluating the change, coordinating any effects, approving or disapproving the change, and
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
34
configuration identification
A configuration management activity that involves selecting a product’s configuration items,
assigning them unique identifiers, and recording their functional and physical characteristics in
technical documentation. (Refer to “configuration item” and “configuration management.”)
configuration item
Work products designated for configuration management and treated as a single entity in the
configuration management process. (Refer to “configuration management.”)
configuration management
The process of managing the integrity of work products using configuration identification,
version control, change control, and audits. (Refer to “configuration identification”,
“configuration item”, “configuration audit”, and “version control.”)
contractual requirements
Result of analysis and refinement of customer requirements into a set of requirements suitable
for inclusion in solicitation packages or supplier agreements. Contractual requirements include
technical and nontechnical requirements necessary to acquire a solution. (Refer to “acquirer”,
“customer requirement”, and “supplier agreement.”)
customer
The party responsible for buying or accepting a solution or for authorizing payment for a
solution. Customers may also be end users.
customer requirement
The result of eliciting and consolidating needs, and resolving conflicts among those needs,
expectations, constraints, and interfaces or connections to clarify and define the solutions with
affected stakeholders in a way that is acceptable to them. (Refer to “customer.”)
cybersecurity
Protection and restoration of products, services, solutions, and supply chain; including
technology, computers, telecommunications systems and services, and information; to ensure
their availability, integrity, authentication, transport, confidentiality, and resilience. Cybersecurity
is a part of information security.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
35
data
Qualitative or quantitative-based information that can be recorded, communicated, and
analyzed.
data cleansing
Typically involves removing or correcting inaccurate, corrupted, duplicate, improperly formatted,
or incomplete data.
data dictionary
A specification of data definitions and elements that includes information such as data type;
owner; table descriptions; source; size; required, default, and allowed values; constraints;
relationships to other data elements and meaning and purpose of the data.
data glossary
Contains the definitions and concepts of key business terms that are used regularly.
defect density
Number of defects per unit of solution size. An example is the number of bugs per thousand
lines of code.
defined process
The subset of organizational process assets that are essential for any tailored and managed
process. A fully defined process has enough detail that it can be consistently performed by
trained and skilled people and is both persistent and habitual. A defined process is required to
achieve Practice Group Level 3 in the CMMI Practice Areas. (Refer to “managed process.”)
deliverable
An item to be provided to an acquirer or other designated recipient as specified in an
agreement. This item can be a document, hardware item, software item, service, or any type of
work product. (Refer to “acquirer.”)
derived measure
Measure defined as a function of two or more base measures. Derived measures are often
expressed as ratios, composite indices, or other aggregate summary measures. (Refer to “base
measure.”)
derived requirements
Requirements that are not explicitly stated in customer requirements, but are inferred and
developed from:
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
36
Derived requirements can also arise during analysis and design of solution components. (Refer
to “product component requirements.”)
design review
A formal, recorded, comprehensive, and systematic examination of a solution or component
design to determine if the design meets applicable requirements, identify problems, and
propose solutions.
development
Creating products or solutions, including hardware and software, and their related components.
In some contexts, development can include maintenance of the developed solution.
DevSecOps
A combination of the terms: “development,” “security,” and “operations”. DevSecOps is a
mindset, a culture, and set of practices that fosters close cooperation between development and
operations teams to plan, develop, test, deploy, release, and maintain a solution. The goal
of DevSecOps is to change and improve the relationship between development and operations
by advocating better communication and collaboration between these two business units.
document
A collection of information and data, regardless of the medium, that generally has permanence
and can be read by humans or machines. Documents can be work products reflecting the
implementation of processes that meet the intent and value of one or more model practices.
Documents may be embedded within an automated, robotic, or online system. Documents can
be hardcopies, softcopies, or accessible via hyperlinks in a web-based environment or
application. Documents are used and kept updated. (Refer to “artifact” and “record.”)
domain
An organizing principle in both the CMMI and appraisal method. Domains are functionally similar
groupings of Practice Areas that are applicable or tailored to an organization's primary
capabilities, e.g., Development for systems engineering or product development.
• Data (DATA)
• Development (DEV)
• People (PPL)
• Safety (SAF)
• Security (SEC)
• Services (SVC)
• Suppliers (SPM)
• Virtual (VRT)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
37
empowerment
Authority given to a person or group to perform a specific task with the capability to undertake
technical, process, and workforce decisions autonomously.
entry criteria
Conditions that must be met before an effort can begin successfully. (Refer to “exit criteria.”)
evaluation
An examination of products, processes, services, or environments to identify strengths and
weaknesses.
example activities
Possible actions that may be taken when implementing processes that meet the intent of a
practice. The intent of "Example Activities" is to serve as guidance and suggestions, not as
required activities. It is not intended to be a comprehensive list.
exit criteria
Conditions that must be met before successful completion of an effort. (Refer to “entry
criteria.”)
functional analysis
An examination of functions of the solution or solution components to broaden and deepen
understanding.
functional architecture
The conceptual structure and logical arrangement of functions. This may include internal and
external interface or connection functions. (Refer to “architecture” and “functional analysis.”)
functional safety
The detection of a potentially dangerous condition resulting in the activation of a protective or
corrective solution or solution component to prevent hazardous events arising or providing
mitigation to reduce the consequence of the hazardous event.
The aspect of the overall safety of a solution, solution component, or piece of equipment that
depends on automatic protection operating correctly in response to its inputs or failure in a
predictable manner (fail-safe). An automatic protection system may be designed to properly
handle likely human errors, hardware, solution, or solution component failures, and
operational/environmental stress.
gemba walk
The term used to describe personal observation of work – where the work is happening. The
original Japanese term comes from gembutsu, which means “real thing.”
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
38
hardware engineering
The application of a systematic, disciplined, and measurable approach to transforming a set of
requirements, using documented techniques and technology to design, implement, and
maintain a tangible solution. In CMMI, hardware engineering represents all technical fields, e.g.,
electrical, mechanical; that transform requirements and ideas into tangible solutions. (Refer to
“software engineering” and “systems engineering.”)
hazard
A condition or event that poses a risk to safety. Hazards can be internal or external.
High Maturity
CMMI practice group levels (and their associated practices) of 4 or 5 are considered High
Maturity practices and levels. High Maturity organizations and projects use quantitative and
statistical analysis to determine, identify, and manage central tendency and dispersion and
understand and address process stability and capability and how these impact the achievement
of quality and process performance objectives.
hybrid work
An approach to performing work that encompasses a combination of virtual and in-person work
activities.
informative material
Includes everything other than the required information. Explanatory information in practices is
part of the informative material. Informative material also includes the overview and
appendices, e.g., glossary, index. Informative material must not be ignored, it is needed to
correctly understand and adopt the model. (Refer to “required information.”)
External links can be added to the informative material. These are links to external assets such
as:
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
39
interface data
Information describing interfaces or connections.
interface or connection
A shared boundary across components, humans, services, hardware, or software that needs or
exchanges information or data. Either term “interface” or “connection” may be used to describe
this boundary.
knowledge
An individual’s understanding of facts or information. Knowledge provides the basis for
performing a skill that an individual must have to perform a task successfully.
lifecycle model
A representation or description of the steps and activities for the development and updating of
a solution communicated to stakeholders and followed by a project or organization. This
description may include:
• Phases
• Sequence
• Interrelationships
• Inputs
• Outputs
• Decisions points
• Roles and responsibilities
managed process
A performed process that is recorded, followed, updated, and made persistent and habitual in
its use. A managed process is required to achieve Practice Group Level 2 in the CMMI Practice
Areas. (Refer to “performed process.”)
maturity level
A rating that describes the degree to which processes in an Organizational Unit (OU) meet the
intents and values of a predefined set of Practice Areas. The rating is based on the achievement
of a specified set of practice group levels within the predefined set of Practice Areas. Available
maturity level ratings include: Maturity Level 1 (ML1), Maturity Level 2 (ML2), Maturity Level 3
(ML3), Maturity Level 4 (ML4), and Maturity Level 5 (ML5).
measurement-based
Information obtained by identifying, capturing, and analyzing objective measurable data.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
40
memorandum of agreement
A record of expectations and arrangements between two or more parties also known as a
“memorandum of understanding”. (Refer to “Statement of Work.”)
mentoring
The process and relationship of an experienced individual providing guidance to a less
experienced individual or workgroup in support of their development growth and activities.
model component
Any of the five main architectural elements or parts that compose the CMMI. These include the
view, Practice Area, practice group, practice, and informative material. (Refer to “informative
material”, “practice”, “Practice Area”, “practice group”, and “view.”)
natural bounds
The inherent range of variation in a process, as determined by process performance measures.
Natural bounds are sometimes referred to as “control limits” or the “voice of the process”.
objectively evaluate
To review activities and work products against criteria that minimize subjectivity and bias by the
reviewer.
offboard
The process of separating an individual from an organization, workgroup, or role. This typically
involves a phased transfer of knowledge, return of equipment, removal of access, transition or
archival of records, and exit interviews. Exit interviews can be used to gather information
relevant to morale and retention.
onboard
The process of integrating an individual into an organization, workgroup, or role.
operational concept
A general description of the way in which a component or solution is used or operates. An
operational concept may also be referred to a “concept of operations.”
operational scenario
A description of a potential sequence of events that includes the interaction of a component or
solution with its environment and users, and with other solution components. Operational
scenarios are used to evaluate the requirements and design of the system and to verify and
validate the system.
opportunity
An uncertain event that may positively impact meeting objectives.
optimizing process
A quantitatively managed process that is continually improved to increase its capability. These
continuous improvements can be made through both incremental and innovative improvements.
An optimizing process is required to achieve Practice Group Level 5 in the CMMI Practice Areas.
(Refer to “quantitatively managed process” and “defined process” for contrast.)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
41
or
The use of “or” in the CMMI means either “and” or “or.”
organizational directives
Expectations established by senior management that are adopted by an organization to
influence and determine decisions, may also be referred to as “organizational policies.”
patch management
The process to identify, acquire, install, and verify a set of changes to a computer program or
its supporting data for solutions and systems. A patch is typically an isolated change of a
specified scope and is sometimes referred to as a bug fix.
peer reviews
The examination of work products performed by similarly skilled personnel during the
development of work products to identify defects for removal. Peer reviews are sometimes
called work product inspections. (Refer to “work product.”)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
42
performance parameters
Measurable criteria used to monitor progress towards quantitative objectives. Collectively,
performance parameters provide a metric for determining success for the business or project.
performed process
A simple approach or set of steps that produces solutions or work products. A performed
process is required to achieve Practice Group Level 1 in the CMMI Practice Areas.
practice
A practice consists of two parts:
• Required practice information: Information required to understand the full intent and
value of the practice, which includes the practice statement (intent), the value statement,
and the additional required information
• Explanatory practice information: Remaining parts of the practice, including additional
explanatory PA/practice information, example activities and work products, which are
important and useful to better understand the practice statement (intent), value
statement, and additional required information
Practice Area (PA)
A collection of similar practices that together achieve the defined intent, value, and required
information described in that Practice Area.
practice group
The organizing structure for practices within a Practice Area to aid understanding and adoption
and provides a path for performance improvement. Practice groups are organized by levels.
process
A set of interrelated activities, which transform inputs into outputs to achieve a given purpose.
(Refer to “process element.”)
process architecture
The structural design and ordering, interfaces or connections, interdependencies, and other
relationships among the process elements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
43
process asset
An element of a process that has value to the organization or work effort. An asset can include
hardware, firmware, software, systems, information, measurements, databases, and templates,
as well as the processes and procedures themselves.
process capability
A recorded range of expected results that can be achieved by following a process.
process description
A record for a specific process. Process descriptions may be documents, embedded or
automated steps or instructions in a component, system, tool, robot, or graphical
representations, etc.
process element
The fundamental unit of a process that cannot be further broken down.
process group
The people or team who hold a process role and are responsible for developing, deploying, and
updating the organization's process assets. (Refer to “process role.”)
process improvement
Tasks and activities planned, performed, and used to improve an organization's process
capability and performance to achieve business objectives more effectively. (Refer to
“organization’s business objectives.”)
process measurement
Activities performed to collect objective information and assign numeric values related to the
activities, steps, and outputs of following a process. This information is analyzed to determine
the effectiveness, efficiency, and performance of a process. (Refer to “measurement” and
"process performance.”)
process owner
The person or team responsible for developing, updating, or following a process. An
organization or project can have multiple owners at different levels of responsibility for:
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
44
process performance
A measure of results achieved by following a process. Process performance may be
characterized by both process measures, e.g., effort, cycle time, defect removal efficiency, and
solution measures, e.g., reliability, defect density, response time. (Refer to “business
performance.”)
process role
A description of the roles of people who develop, use, or follow a process in an organization.
This role is typically recorded in a process description or related artifact, e.g., a roles and
responsibility table or matrix. People in these roles provide Objective Evidence (OE) showing
and explaining their roles and responsibilities and how they participate in the processes.
product component
A work product that is a building block of the product or solution. Integrate product
components to produce the final product or solution. There can be multiple levels of
components.
product lifecycle
A representation of the set of steps or activities, consisting of phases, that begins at conception
of a product or service and ends when the product or service is no longer available for use. For
example, a product lifecycle could consist of the following phases:
Organizations can produce multiple products or services for multiple customers, and so may
define multiple product lifecycles. These lifecycles may be adapted from published literature for
use in an organization.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
45
product line
A group of products:
project plan
A plan that provides the basis for performing and controlling project activities, and addresses
commitments to the customer. A project plan is based on estimating the attributes of work
products and tasks, determining the resources needed, negotiating commitments, producing a
schedule, and identifying and analyzing risks. Iterating through these activities can be
necessary to establish the project plan.
project startup
Initial time period or event when a project begins. (Refer to “project.”)
quality attribute
Property of a solution by which affected stakeholders determine and judge its quality. Quality
attributes are:
• "Non-functional”
• Significantly influence architecture
• Characterized by one or more measures
• Availability
• Maintainability
• Modifiability
• Reliability
• Responsiveness
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
46
• Scalability
• Security
• Timeliness
• Throughput
• Usability
qualitative objective
Used to describe targets or goals that are subjective and typically not expressed in quantifiable
terms but may contribute to increased performance or capability.
quantitative management
An approach to managing a project using quantitative techniques to understand actual or
predicted process performance relative to quality and process performance objectives, variation,
and identifying corrective action needed to meet the objectives.
quantitative objective
Desired target value expressed using objective measures. (Refer to “measure”, “process
improvement objectives”, and “Quality and Process Performance Objectives (QPPOs).”)
reference model
A defined model describing practices and activities that is used for improving performance or as
a benchmark for measuring capability or maturity.
remote
An approach to performing work that includes individuals working virtually from different
geographic locations, e.g., work from home, satellite office, hotel, customer facility, coworking
space.
required information
Information required for satisfying a practice or Practice Area. Required information includes
Practice Area Intent statement, practice statement, Value statement, and Additional Required
Information.
requirement
A recorded description of an aspect, performance, or capability required by a user or customer.
requirements analysis
Tasks that determine the needs or conditions to meet a new or altered solution, accounting for
multiple perspectives, e.g., balancing stakeholder needs and constraints, allocation of
requirements to components, breaking down complex requirements to lower-level
requirements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
47
requirements elicitation
A technique used to gather knowledge or information to proactively identify and record
customer and end user needs.
requirements management
The process of documenting, analyzing, tracing, prioritizing, and agreeing on requirements and
then controlling change and communicating to affected stakeholders. It is a continuous process
throughout a project.
requirements traceability
A record of the relationships between requirements and related requirements, implementations,
and verifications. (Refer to “bidirectional traceability.”)
risk
A potential uncertain event that may be harmful or may negatively impact objective
achievement.
risk mitigation
A set of planned activities, which if performed, may minimize the probability or impact of the
risk.
safety
A condition of protection from harm. The two key areas of safety are workplace environment
and functional safety.
security resilience
The ability to prepare for and adapt to changing conditions and withstand and recover rapidly
from security disruptions, including cybersecurity. Resilience includes the capability to withstand
and recover from deliberate attack, accidents, or naturally occurring threats, vulnerabilities, or
other security events.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
48
security threats
Any circumstance or event with the potential to adversely impact organizational operations
including mission, functions, assets, personnel, processes, systems, or brand reputation through
unauthorized access, destruction, disclosure, modification of information, or denial of service.
Source: NIST Computer Security Resource Center (CSRC) Glossary
security vulnerabilities
Weakness in a solution, information system, system security procedure, internal control, or
implementation that could be exploited by a threat source.
Source: CMMC/NIST SP 800-30 Rev 1
senior management
The person or persons who provide the policy and overall guidance for the process, but do not
typically provide the direct day-to-day monitoring and controlling of the process. A senior
manager has authority to direct the allocation or reallocation of resources in support of
organizational process improvement effectiveness. A senior manager can be any manager who
satisfies this description, including the head of the organization.
service
An activity that provides a promised exchange of value between a service provider and
customer, product, or work product. Services do not always produce tangible or storable
products, in such instances, the service itself is the deliverable. (Refer to “solution.”)
Service Level Agreement (SLA)
A contract between a service provider, either internal or external, and the customer or end user
that defines the level of service expected from the service provider. SLAs are output-based in
that their purpose is specifically to define what the customer will receive. SLAs do not define
how the service itself is provided or delivered.
service system
An integrated and interdependent combination of components that satisfies stakeholder
requirements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
49
shared vision
A common understanding of guiding principles, including mission, objectives, expected behavior,
values, and final outcomes, developed and used by an organization, project, or work group.
size
Number of items, or volume of work effort or work products being produced, such as activities,
pages, requirements, number of components, or solutions. Use size as a basis for scoping
estimates and plans.
skills
The abilities that an individual demonstrates to accomplish work.
solution
A product, product component, service, service system, service system component, process, or
tool that is developed, delivered, acquired, or operated to fulfill a defined need. A solution may
include relevant data, people, safety, or security components or subcomponents.
solution component
A work product that is a building block of the solution. Solution components are integrated to
produce the solution. There can be multiple levels of solution components. (Refer to “product
component.”)
stable process
The state in which special causes of process variation have been removed from the process and
prevented from recurring. In a stable process, only common cause variation of the process
remains. (Refer to “capable process”, “common cause of variation”, and “special cause of
variation.”)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
50
This term is used at levels 4 and 5 where practices describe how statistical and other
quantitative techniques are used to improve understanding of work group and organizational
processes and performance. (Refer to “statistical techniques” and “quantitative management.”)
statistical techniques
Mathematical techniques used with the collection, analysis, interpretation, and presentation of
masses of numerical data to understand process variation and predict process performance.
Examples include sampling techniques, analysis of variance, chi-squared tests, regression
analysis, and process control charts.
subprocess
A process that is part of a larger process. Subprocesses can be further decomposed into
subprocesses and/or process elements. (Refer to "process”, "process description”, and "process
element.”)
supplier
An entity having an agreement with an acquirer to design, develop, manufacture, maintain,
modify, deliver, or supply solutions under terms of an agreement. Examples include individuals,
partnerships, companies, corporations, and associations. (Refer to “acquirer.”)
supplier deliverable
An item to be provided to an acquirer or other recipient as specified in an agreement. The item
can be a document, hardware or software item, a service, a solution, or any type of work
product.
systems engineering
Interdisciplinary approach governing technical and managerial effort required to transform a set
of customer needs, expectations, and constraints into solutions and to support solutions
throughout their lifecycle.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
51
tailoring
Developing or adapting a process description or work product according to organizational
defined standard guidelines to achieve a result. For example, a project develops its tailored
process from the organization’s set of standard processes to meet objectives or constraints
within the project environment. (Refer to “organization’s set of standard processes” and
“process description.”)
tailoring guidelines
Organizational guidelines that enable individuals, projects, and organizational functions to
appropriately adapt standard processes for their use. Tailoring guidelines may allow additional
flexibility when dealing with less critical processes or those that only indirectly affect business
objectives. (Refer to “organization’s set of standard processes” and “tailoring.”)
technical performance
Characteristic of a process or solution generally defined by a functional or technical requirement
that is often recorded in a contract or Statement of Work.
threat intelligence
Information an organization uses to understand the threats that have, will, or are currently
targeting the organization. This information is used to prepare, identify, and prevent security
and cybersecurity threats looking to take advantage of valuable resources. This is also referred
to as cyber threat intelligence.
unit testing
Testing of individual hardware or software units.
version control
Identifies the correct versions of work products and confirms the right versions are available for
use or for restoring to a previous version. Also includes the establishment and maintenance of
baselines and the identification of changes to baselines to obtain previous baselines.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
52
view
A selection of model components relevant to the organization or user. Two primary types of
views currently exist:
• Predefined view: A logical grouping of predefined CMMI components used to define the
appraisal model view scope. Examples include: CMMI-DEV Maturity Level 2, CMMI-SVC
Maturity Level 5.
• Customized view: Any combination of Capability Areas, Practice Areas, practice groups, or
practices that are defined by the end user. Customized views are defined to be relevant to
business objectives. (Refer to “Benchmark Model View.”)
virtual work
Includes use of virtual, remote, or hybrid operations and methods to manage personnel, work
efforts, communication, and collaboration. This also includes operations and delivery of a given
service, process, activity, task, or solution to customers and affected stakeholders.
work product
An output from a process, activity, or task and may be a stand-alone output, or part of a
solution.
workforce competency
A collection of knowledge, skills, and process abilities performed by individuals or workgroups
that an organization needs for performing a particular type of work. A workforce competency
can be stated as a discipline, such as software engineering, financial accounting, or technical
writing. A workforce competency is frequently decomposed to incorporate the unique needs and
constraints relevant to the organization. For example, software engineering with Scrum Master
experience.
workforce management
Leverages workforce policies, organizational structures, processes, and related infrastructure to
establish and promote workforce empowerment and performance.
workgroup
A collection of people who work closely together on tasks that are highly interdependent to
achieve shared objectives. A workgroup typically reports to a responsible individual who may be
involved in managing its daily activities. The operational parameters of workgroups can vary
based on objectives and should therefore be clearly defined. Workgroups can operate as a
project, if designated accordingly.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
53
Appendix F: Abbreviations
Abbreviation Term
AAA access control, authorization, and accounting
AI Artificial Intelligence
AIM Accelerated Improvement Method
API application program interface
APT Advanced Persistent Threat
ASARP As Safe As Reasonably Practicable
ASPICE Automotive Software Process Improvement and Capability Determination
AV Antivirus
AWS Amazon Web Services
BOM Bill of Materials
BYOD Bring Your Own Device
CA Capability Area
CAR Causal Analysis and Resolution (Practice Area)
CBT computer-based training
CCB Change or Configuration Control Board
CCD Career and Competency Development
CCPA California Consumer Privacy Act
CD Continuous Delivery
CDPA Virginia Consumer Data Protection Act
CDR Critical Design Review
CHMLA Certified CMMI High Maturity Lead Appraiser
CI Continuous Integration
CI/CD Continuous Integration/Continuous Delivery
CL Capability Level
CM Configuration Management (Practice Area)
CMM Capability Maturity Model
CMMC Cybersecurity Maturity Model Certification
CMMI Capability Maturity Model Integration
CMMI-DATA CMMI Data (Domain View)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
54
Abbreviation Term
CMMI-DEV CMMI Development (Domain View)
CMMI-PPL CMMI People (Domain View)
CMMI-SAF CMMI Safety (Domain View)
CMMI-SEC CMMI Security (Domain View)
CMMI-SPM CMMI Suppliers (Domain View)
CMMI-SVC CMMI Services (Domain View)
CMMI-VRT CMMI Virtual (Domain View)
COBIT Control Objectives for Information and Related Technologies
COI Conflict of Interest (see also OCI)
CONT Continuity (Practice Area)
COOP Continuity Of Operations
COSHH Control of Substances Hazardous to Health
COTS Commercial Off-The-Shelf
CPA Colorado Privacy Act
CPM Critical Path Method
CUI Controlled Unclassified Information
CWE Common Weakness Enumeration
DAM Database Activity Monitoring
DAR Decision Analysis and Resolution (Practice Area)
DDL Data Definition Language
DDoS Distributed Denial of Service
DEI Diversity, Equity, and Inclusion
DEV Development (Domain)
DevSecOps Development, Security, and Operations
DLP Data Loss Prevention
DM Data Management (Practice Area)
DMS Delivering and Managing Services (Capability Area)
DoD Department of Defense
DQ Data Quality (Practice Area)
DSCI Data Security Council of India
EDP Engineering and Developing Products (Capability Area)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
55
Abbreviation Term
EDR endpoint detection and remediation
EITVOX Entry Criteria, Inputs, Tasks or activity descriptions, Verification and
Validation, Outputs, Exit Criteria
ENQ Ensuring Quality (Capability Area)
ERM Enterprise Risk Management
ESAF Enabling Safety (Practice Area)
ESEC Enabling Security (Practice Area)
ESG Environmental, Social, and Governance
ESOH Environment, Safety, and Occupational Health
EST Estimating (Practice Area)
ETL Extract, Transform, Load
EU European Union
EVMS Earned Value Management System
EVW Enabling Virtual Work (Practice Area)
EWG Empowered Workgroups
F2F Face-to-Face
FEMA Federal Emergency Management Agency
FFA Functional Failure Analysis
FMEA Failure Mode and Effects Analysis
FMECA Failure Mode, Effects, and Criticality Analysis
FOSS Free Open-Source Software
FTE Full-Time Employee
GDPR General Data Protection Regulation
GEOINT GEOspatial INTelligence
GOV Governance (Practice Area)
GQM Goal Question Metric
GRC Governance, Risk, and Compliance
HAZOP Hazard and Operability Analysis
HIPAA Health Insurance Portability and Accountability Act
HIPs Host Intrusion Prevention system
HITECH Health Information Technology for Economic and Clinical Health Act
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
56
Abbreviation Term
HMC High Maturity Concepts (Course Title)
HMLA CMMI High Maturity Lead Appraiser (Certification)
IaC Infrastructure as Code
IBR Integrated Baseline Review
IDEF Integrated DEFinition Methods
IDM IDentity Management
IEC International Electrotechnical Commission
II Implementation Infrastructure (Practice Area)
ILT Instructor-Lead Training
IMP Improving Performance (Capability Area)
IMS Integrated Master Schedule
IoT Internet of Things
IPS Intrusion Prevention System
IRP Incident Resolution and Prevention (Practice Area)
ISACA Information Systems Audit and Control Association
ISO International Standards Organization
IT Information Technology
ITAR International Traffic and Arms Regulations
ITIL Information Technology Infrastructure Library
IV&V Independent Verification and Validation
KPI Key Performance Indicators
LA Certified CMMI Lead Appraiser
MAGERIT Methodology of Analysis and Risk Management Information Systems
MBR Managing Business Resilience (Capability Area)
MC Monitor and Control (Practice Area)
MD Managing Data (Capability Area)
MDD CMMI Appraisal Method Definition Document
MDDAP Medical Device Discovery Appraisal Program
MDM mobile device management
MFA Multi-Factor Authentication
ML Maturity Level
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
57
Abbreviation Term
MPM Managing Performance and Measurement (Practice Area)
MSS Managing Security and Safety (Capability Area)
MST Managing Security Threats and Vulnerabilities (Practice Area)
MTBF Mean Time Between Failures
MTTF Mean Time to Failure
MWF Managing the Workforce (Capability Area)
NAC network access control
NASSCOM National Association of Software and Service Companies
NIST National Institute of Standards and Technology
NTIA National Telecommunications and Information Administration
OB Organizational Behavior
OCI Organizational Conflict of Interest (see also COI)
OE Objective Evidence
OSHA Occupational Safety and Health Administration (US) or Agency (EU)
OT Organizational Training (Practice Area)
OTRR Operational Test Readiness Review
OU Organizational Unit
PA Practice Area
PAD Process Asset Development (Practice Area)
PAL Process Asset Library
PARS Published Appraisal Results System
PCI DSS Payment Card Industry Data Security Standard
PCM Process Management (Practice Area)
PDR Preliminary Design Review
PERT Program Evaluation and Review Technique
PG Practice Groups
PGL Practice Group Level
PHA Preliminary Hazard Analysis
PHI Personal Health Information
PI Product Integration (Practice Area)
PII Personal Identifiable Information
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
58
Abbreviation Term
PIM privileged identity management
PIPL Personal Information Protection Law
PLAN Planning (Practice Area)
PMW Planning and Managing Work (Capability Area)
PoLP Principle of Least Privilege
PoP Period of Performance
PPE Personal Protective Equipment
PPL People (Domain)
PQA Process Quality Assurance (Practice Area)
PR Peer Reviews (Practice Area)
PRR Production Readiness Review
PSM Practical Software and Systems Measurements
PWS Performance Work Statement
QA Quality Assurance
QPPO Quality and Process Performance Objectives
QRT Quick Response Team
RASCI Responsible, Accountable, Supporting, Consulted, Informed
RDM Requirements Development and Management (Practice Area)
RFI Request for Information
RFP Request for Proposal
ROI Return on Investment
ROT Redundant, Obsolete, and Trivial
RPA Robotic Process Automation
RSK Risk and Opportunity Management (Practice Area)
SAF Safety (Domain)
SAM Supplier Agreement Management (Practice Area)
SANS SysAdmin, Audit, Network, Security
SAST Static Application Security Testing
SBOM Software Bill of Materials or Sales Bill or Materials
SBOS Software Bill of Sales
SCIFs Sensitive Compartmented Information Facilities
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
59
Abbreviation Term
SDM Service Delivery Management (Practice Area)
SEC Security (Domain)
SEI Software Engineering Institute
SHP Sustaining Habit and Persistence (Capability Area)
SI Supporting Implementation (Capability Area)
SIEM Security information and event management
SIPOC Suppliers, Inputs, Processes, Outputs, Customers
SLA Service Level Agreement
SMART Specific, Measurable, Achievable, Relevant, Time-bound
SME Subject Matter Experts
SMS Selecting and Managing Suppliers (Capability Area)
SOC Security Operations Center
SOO Statement of Objectives
SOP Standard Operating Procedure
SOW Statement of Work
SPM Suppliers (Domain)
SRR System Requirements Review
SSC Security Standards Council
SSL Secure Sockets Layer
SSO Single Sign-On
SSP System Security Plan
STIG Security Technical Implementation Guide
STSM Strategic Service Management (Practice Area)
SVC Services (Domain)
SW-CMM Software CMM
SWOT Strength, Weakness, Opportunity, and Threat
TDD Test-Driven Development
TIP threat intelligence platform
TRA Technology Readiness Assessment
TRR Test Readiness Review
TS Technical Solution (Practice Area)
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
60
Abbreviation Term
UAT user acceptance testing
UEBA user and entity behavior analytics
UI user interface
UK HSE United Kingdom Health and Safety Executive
US United States
VM Virtual Machine
VPN virtual private network
VRT Virtual (Domain)
VV Verification and Validation (Practice Area)
WAF web application firewall
WBS Work Breakdown Structure
WE Workforce Empowerment (Practice Area)
XML eXtensible Markup Language
NOTE: Government organizations and legislation not otherwise identified are in United States.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
61
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
62
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.
63
Appendix I: Acknowledgements
The initial launch and continued development of the CMMI Performance Solutions ecosystem is
made possible by hundreds of individuals and organizations who support the development as
sponsors, leaders, developers, contributors, reviewers, and translation verifiers. ISACA is deeply
grateful to the community of people who continue to contribute to the ecosystem. For a list of
individuals and acknowledgements visit:
https://cmmiinstitute.com/products/cmmi/acknowledgements.
2023-11-20 21:41:42 This copy is licensed solely to Jean Franco Cespedes Pasion, who agrees not to reproduce, duplicate, copy, sell, resell, assign, transfer or exploit
any portion of this document without express written permission by ISACA. Usage by others is prohibited.